CVE-2026-32837

EUVD-2026-12633

17.03.2026, 20:16

miniaudio version 0.11.25 and earlier (fixed in commits 1df46ae and 1df46ae) contain a heap out-of-bounds read vulnerability in the WAV BEXT metadata parser that allows attackers to trigger memory access violations by processing crafted WAV files. Attackers can exploit improper null-termination handling in the coding history field to cause out-of-bounds reads past the allocated metadata pool, resulting in application crashes or denial of service.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	4 MEDIUM	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Base Score

CVSS 3.x

EPSS Score

Percentile: 0.23%

Affected Products (NVD)

Vendor	Product	Version
mackron	miniaudio	𝑥 ≤ 0.11.25

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

miniaudio

forky	vulnerable
sid	vulnerable
trixie	no-dsa

Ubuntu Releases

Ubuntu Product

Codename

miniaudio

jammy	dne
noble	needs-triage
questing	needs-triage
resolute	needs-triage

Known Exploits!

https://github.com/mackron/miniaudio/issues/1101

Common Weakness Enumeration

CWE-170 - Improper Null Termination
The software does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator.

References

https://github.com/mackron/dr_libs/commit/04e40d66a7ba1632f93ec1328d4b42ad986e3ee0

https://github.com/mackron/miniaudio/commit/1df46ae9a0eed5aa9f58b179d2cc4af5d23f8bde

https://github.com/mackron/miniaudio/issues/1101

https://www.vulncheck.com/advisories/mackron-miniaudio-out-of-bounds-read-in-bext-coding-history-parsing