CVE-2026-32836

EUVD-2026-12631

17.03.2026, 20:16

dr_libs dr_flac.h version 0.13.3 and earlier (fixed in commits fefced4, 4f5a4cd, and 663239a) contain an uncontrolled memory allocation vulnerability in drflac__read_and_decode_metadata() that allows attackers to trigger excessive memory allocation by supplying crafted PICTURE metadata blocks. Attackers can exploit attacker-controlled mimeLength and descriptionLength fields to cause denial of service through memory exhaustion when processing FLAC streams with metadata callbacks.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.2 MEDIUM	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 2.71%

Affected Products (NVD)

Vendor	Product	Version
mackron	dr_libs	𝑥 ≤ 0.13.3

𝑥

= Vulnerable software versions

Known Exploits!

https://github.com/mackron/dr_libs/issues/298

Common Weakness Enumeration

CWE-789 - Memory Allocation with Excessive Size Value
The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.

References

https://github.com/mackron/dr_libs/commit/4f5a4cd3b57564d969443c580c75857e039f100a

https://github.com/mackron/dr_libs/commit/663239a3d0460c33bd5b6e5166edcb404e3df676

https://github.com/mackron/dr_libs/commit/fefced4a64adfb1a68a2d31d882366e56096dee8

https://github.com/mackron/dr_libs/issues/298

https://www.vulncheck.com/advisories/mackron-dr-libs-excessive-memory-allocation-in-picture-metadata-parsing