Cyber Resilience

CVE-2026-5317

LowPublic PoC

Published: 02 April 2026

Published
02 April 2026
Modified
30 April 2026
KEV Added
Patch
CVSS Score v4 2.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0043 34.0th percentile
Risk Priority 15 floored blend · peak EPSS

Summary

CVE-2026-5317 is a low-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Nothings Stb Vorbis.C. Its CVSS base score is 2.1 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 34.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-5317 is an out-of-bounds write vulnerability in the Nothings stb library, affecting versions up to 1.22. The flaw resides in the start_decoder function within the stb_vorbis.c file and was published on 2026-04-02.

The vulnerability can be exploited remotely by unauthenticated attackers with low attack complexity, though it requires user interaction. Exploitation leads to low impacts on confidentiality, integrity, and availability, earning a CVSS 3.1 base score of 6.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L). It maps to CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-787 (Out-of-bounds Write). A public exploit has been released.

VulDB advisories document the issue across multiple entries, including recent submissions and CTI details, while a GitHub Gist hosts the exploit code. The vendor was contacted early but provided no response or patches. Security practitioners should audit dependencies on stb_vorbis.c and consider isolating or replacing affected components.

EU & UK References

Vulnerability details

A security flaw has been discovered in Nothings stb up to 1.22. This affects the function start_decoder of the file stb_vorbis.c. The manipulation results in out-of-bounds write. The attack may be performed from remote. The exploit has been released to…

more

the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

Client-side OOB write in audio decoder library requires user interaction to trigger via malicious file, enabling exploitation for client execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-2750Shared CWE-119, CWE-787
CVE-2026-5314Same vendor: Nothings
CVE-2026-5315Same vendor: Nothings
CVE-2026-25582Shared CWE-119, CWE-787
CVE-2025-2151Shared CWE-119, CWE-787
CVE-2025-2368Shared CWE-119, CWE-787
CVE-2025-43264Shared CWE-119
CVE-2026-34636Shared CWE-787
CVE-2026-21305Shared CWE-787
CVE-2026-0536Shared CWE-787

Affected Assets

nothings
stb vorbis.c
≤ 1.22

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely remediation of the out-of-bounds write flaw in stb_vorbis.c by patching, replacing, or removing the vulnerable library versions up to 1.22.

prevent

Implements memory protections such as non-executable data regions and stack guards to block unauthorized code execution from the out-of-bounds write exploitation.

detect

Enables scanning and monitoring to identify the presence of CVE-2026-5317 in system dependencies like the stb library.

References