CVE-2026-5317

MediumPublic PoC

Published: 02 April 2026

Published

02 April 2026

Modified

30 April 2026

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

EPSS Score 0.0005 14.4th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5317 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Nothings Stb Vorbis.C. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 14.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates timely remediation of the out-of-bounds write flaw in stb_vorbis.c by patching, replacing, or removing the vulnerable library versions up to 1.22.

SI-16 Memory Protection good match

prevent

Implements memory protections such as non-executable data regions and stack guards to block unauthorized code execution from the out-of-bounds write exploitation.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Enables scanning and monitoring to identify the presence of CVE-2026-5317 in system dependencies like the stb library.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

Why these techniques?

Client-side OOB write in audio decoder library requires user interaction to trigger via malicious file, enabling exploitation for client execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A security flaw has been discovered in Nothings stb up to 1.22. This affects the function start_decoder of the file stb_vorbis.c. The manipulation results in out-of-bounds write. The attack may be performed from remote. The exploit has been released to…

the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Deeper analysisAI

CVE-2026-5317 is an out-of-bounds write vulnerability in the Nothings stb library, affecting versions up to 1.22. The flaw resides in the start_decoder function within the stb_vorbis.c file and was published on 2026-04-02.

The vulnerability can be exploited remotely by unauthenticated attackers with low attack complexity, though it requires user interaction. Exploitation leads to low impacts on confidentiality, integrity, and availability, earning a CVSS 3.1 base score of 6.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L). It maps to CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-787 (Out-of-bounds Write). A public exploit has been released.

VulDB advisories document the issue across multiple entries, including recent submissions and CTI details, while a GitHub Gist hosts the exploit code. The vendor was contacted early but provided no response or patches. Security practitioners should audit dependencies on stb_vorbis.c and consider isolating or replacing affected components.