CVE-2026-32836

MEDIUM

mackron / dr_libs Excessive Memory Allocation in PICTURE Metadata Parsing

Title source: cna

Description

dr_libs dr_flac.h version 0.13.3 and earlier (fixed in commits fefced4, 4f5a4cd, and 663239a) contain an uncontrolled memory allocation vulnerability in drflac__read_and_decode_metadata() that allows attackers to trigger excessive memory allocation by supplying crafted PICTURE metadata blocks. Attackers can exploit attacker-controlled mimeLength and descriptionLength fields to cause denial of service through memory exhaustion when processing FLAC streams with metadata callbacks.

References (5)

[Issue Tracking] https://github.com/mackron/dr_libs/issues/298

[Third Party Advisory] https://www.vulncheck.com/advisories/mackron-dr-libs-excessive-memory-allocation-in-picture-metadata-parsing

[Patch] https://github.com/mackron/dr_libs/commit/fefced4a64adfb1a68a2d31d882366e56096dee8

[Patch] https://github.com/mackron/dr_libs/commit/4f5a4cd3b57564d969443c580c75857e039f100a

[Patch] https://github.com/mackron/dr_libs/commit/663239a3d0460c33bd5b6e5166edcb404e3df676

View Patch ZIP pw:eip

Scores

CVSS v3 6.2

EPSS 0.0001

EPSS Percentile 2.7%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-789

Status published

Products (5)

mackron/dr_libs < 0.13.3 (2 CPE variants)

mackron/dr_libs dr_flac.h < 0.13.3

mackron/dr_libs dr_flac.h 4f5a4cd3b57564d969443c580c75857e039f100a (2 CPE variants)

mackron/dr_libs dr_flac.h 663239a3d0460c33bd5b6e5166edcb404e3df676 (2 CPE variants)

mackron/dr_libs dr_flac.h fefced4a64adfb1a68a2d31d882366e56096dee8 (2 CPE variants)

Published Mar 17, 2026

Tracked Since Mar 18, 2026