CVE-2026-32837

miniaudio version 0.11.25 and earlier (fixed in commits 1df46ae and 1df46ae) contain a heap out-of-bounds read vulnerability in the WAV BEXT metadata parser that allows attackers to trigger memory access violations by processing crafted WAV files. Attackers can exploit improper null-termination handling in the coding history field to cause out-of-bounds reads past the allocated metadata pool, resulting in application crashes or denial of service.

CVSS v3 4.0 MEDIUM

4.0^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.5 / Impact : 1.4

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/mackron/dr_libs/commit/04e40d66a7ba1632f93ec1328d4b42ad986e3ee0
https://github.com/mackron/miniaudio/commit/1df46ae9a0eed5aa9f58b179d2cc4af5d23f8bde
https://github.com/mackron/miniaudio/issues/1101	Exploit Issue Tracking Mitigation Vendor Advisory
https://www.vulncheck.com/advisories/mackron-miniaudio-out-of-bounds-read-in-bext-coding-history-parsing	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:mackron:miniaudio:*:*:*:*:*:*:*:*

History

27 Apr 2026, 16:16

Type	Values Removed	Values Added
References		() https://github.com/mackron/dr_libs/commit/04e40d66a7ba1632f93ec1328d4b42ad986e3ee0 - () https://github.com/mackron/miniaudio/commit/1df46ae9a0eed5aa9f58b179d2cc4af5d23f8bde -
References	~~() https://github.com/mackron/miniaudio/issues/1101 - Exploit, Issue Tracking, Vendor Advisory, Mitigation~~	() https://github.com/mackron/miniaudio/issues/1101 - Exploit, Issue Tracking, Mitigation, Vendor Advisory
Summary	(en) miniaudio version 0.11.25 and earlier contain a heap out-of-bounds read vulnerability in the WAV BEXT metadata parser that allows attackers to trigger memory access violations by processing crafted WAV files. Attackers can exploit improper null-termination handling in the coding history field to cause out-of-bounds reads past the allocated metadata pool, resulting in application crashes or denial of service.	(en) miniaudio version 0.11.25 and earlier (fixed in commits 1df46ae and 1df46ae) contain a heap out-of-bounds read vulnerability in the WAV BEXT metadata parser that allows attackers to trigger memory access violations by processing crafted WAV files. Attackers can exploit improper null-termination handling in the coding history field to cause out-of-bounds reads past the allocated metadata pool, resulting in application crashes or denial of service.
CVSS	v2 : ~~unknown~~ v3 : ~~5.5~~	v2 : unknown v3 : 4.0

19 Mar 2026, 19:26

Type	Values Removed	Values Added
First Time		Mackron Mackron miniaudio
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.5
CPE		cpe:2.3:a:mackron:miniaudio::::::::
References	~~() https://github.com/mackron/miniaudio/issues/1101 -~~	() https://github.com/mackron/miniaudio/issues/1101 - Exploit, Issue Tracking, Vendor Advisory, Mitigation
References	~~() https://www.vulncheck.com/advisories/mackron-miniaudio-out-of-bounds-read-in-bext-coding-history-parsing -~~	() https://www.vulncheck.com/advisories/mackron-miniaudio-out-of-bounds-read-in-bext-coding-history-parsing - Third Party Advisory

18 Mar 2026, 14:52

Type	Values Removed	Values Added
Summary		(es) miniaudio versión 0.11.25 y anteriores contienen una vulnerabilidad de lectura fuera de límites en el heap en el analizador de metadatos BEXT de WAV que permite a los atacantes desencadenar violaciones de acceso a la memoria al procesar archivos WAV manipulados. Los atacantes pueden explotar un manejo inadecuado de la terminación nula en el campo de historial de codificación para causar lecturas fuera de límites más allá del pool de metadatos asignado, lo que resulta en caídas de la aplicación o denegación de servicio.

17 Mar 2026, 20:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-17 20:16

Updated : 2026-04-27 16:16

NVD link : CVE-2026-32837

Mitre link : CVE-2026-32837

CVE.ORG link : CVE-2026-32837

JSON object : View

Products Affected

mackron

miniaudio

CWE

CWE-170

Improper Null Termination

4.0 /10