Cyber Resilience

CVE-2026-5314

LowPublic PoC

Published: 01 April 2026

Published
01 April 2026
Modified
30 April 2026
KEV Added
Patch
CVSS Score v4 2.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0066 46.9th percentile
Risk Priority 15 floored blend · peak EPSS

Summary

CVE-2026-5314 is a low-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Nothings Stb Truetype.H. Its CVSS base score is 2.1 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 46.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-5314 is an out-of-bounds read vulnerability affecting Nothings stb single-header library versions up to 1.26. The issue resides in the stbtt_InitFont_internal function within the stb_truetype.h library, part of the TTF File Handler component. Manipulation of a TTF file triggers the out-of-bounds read, as documented with CWEs-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-125 (Out-of-bounds Read).

Remote attackers can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) but user interaction (UI:R), unchanged scope (S:U), no confidentiality or integrity impact (C:N/I:N), and low availability impact (A:L), yielding a CVSS v3.1 base score of 4.3. Exploitation causes a denial-of-service condition through memory corruption, and a public exploit is available for potential use by unauthenticated attackers.

Advisories and details are provided in references including a GitHub gist at https://gist.github.com/d0razi/cb31a92f3205a4373f19b7da25946848 containing the exploit, along with VulDB entries at https://vuldb.com/submit/780558, https://vuldb.com/vuln/354646, and https://vuldb.com/vuln/354646/cti. The vendor was contacted early for disclosure but provided no response, with no patches or official mitigations noted.

The exploit has been publicly disclosed and could be used, published on 2026-04-01.

EU & UK References

Vulnerability details

A vulnerability was found in Nothings stb up to 1.26. Impacted is the function stbtt_InitFont_internal in the library stb_truetype.h of the component TTF File Handler. Performing a manipulation results in out-of-bounds read. Remote exploitation of the attack is possible. The…

more

exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Out-of-bounds read in TTF file handler leads to denial-of-service via memory corruption, directly enabling application exploitation for endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-5315Same product: Nothings Stb Truetype.H
CVE-2026-2659Shared CWE-119, CWE-125
CVE-2026-3663Shared CWE-119, CWE-125
CVE-2026-3386Shared CWE-119, CWE-125
CVE-2026-3731Shared CWE-119, CWE-125
CVE-2026-2858Shared CWE-119, CWE-125
CVE-2026-5317Same vendor: Nothings
CVE-2026-2644Shared CWE-119, CWE-125
CVE-2026-2662Shared CWE-119, CWE-125
CVE-2025-21598Shared CWE-125

Affected Assets

nothings
stb truetype.h
≤ 1.26

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely identification, reporting, and correction of flaws like the out-of-bounds read in stb_truetype.h to prevent exploitation of CVE-2026-5314.

prevent

Implements memory protection safeguards that mitigate out-of-bounds read vulnerabilities by preventing unauthorized memory access and exploitation leading to denial-of-service.

prevent

Requires validation of TTF file inputs to the stbtt_InitFont_internal function, reducing the risk of malformed files triggering the out-of-bounds read.

References