CVE-2026-5317

Publication date 2 April 2026

Last updated 10 July 2026


Ubuntu priority

Cvss 3 Severity Score

6.3 · Medium

Score breakdown

Description

A security flaw has been discovered in Nothings stb up to 1.22. This affects the function start_decoder of the file stb_vorbis.c. The manipulation results in out-of-bounds write. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Status

Package Ubuntu Release Status
libstb 26.04 LTS resolute
Needs evaluation
25.10 questing Ignored end of life, was needs-triage
24.04 LTS noble
Needs evaluation
22.04 LTS jammy
Needs evaluation
20.04 LTS focal
Needs evaluation

Severity score breakdown

CVSS version:

Base score 2.1 · Low

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

Base score 6.3 · Medium

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L


Access our resources on patching vulnerabilities