CVE-2026-32837

miniaudio version 0.11.25 and earlier contain a heap out-of-bounds read vulnerability in the WAV BEXT metadata parser that allows attackers to trigger memory access violations by processing crafted WAV files. Attackers can exploit improper null-termination handling in the coding history field to cause out-of-bounds reads past the allocated metadata pool, resulting in application crashes or denial of service.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/mackron/miniaudio/issues/1101	Exploit Issue Tracking Vendor Advisory Mitigation
https://www.vulncheck.com/advisories/mackron-miniaudio-out-of-bounds-read-in-bext-coding-history-parsing	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:mackron:miniaudio:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-17 20:16

Updated : 2026-03-19 19:26

NVD link : CVE-2026-32837

Mitre link : CVE-2026-32837

CVE.ORG link : CVE-2026-32837

JSON object : View

Products Affected

mackron

miniaudio

CWE

CWE-170

Improper Null Termination

{"id": "CVE-2026-32837", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.1, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-17T20:16:14.177", "references": [{"url": "https://github.com/mackron/miniaudio/issues/1101", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory", "Mitigation"], "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/mackron-miniaudio-out-of-bounds-read-in-bext-coding-history-parsing", "tags": ["Third Party Advisory"], "source": "disclosure@vulncheck.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-170"}]}], "descriptions": [{"lang": "en", "value": "miniaudio version 0.11.25 and earlier contain a heap out-of-bounds read vulnerability in the WAV BEXT metadata parser that allows attackers to trigger memory access violations by processing crafted WAV files. Attackers can exploit improper null-termination handling in the coding history field to cause out-of-bounds reads past the allocated metadata pool, resulting in application crashes or denial of service."}, {"lang": "es", "value": "miniaudio versi\u00f3n 0.11.25 y anteriores contienen una vulnerabilidad de lectura fuera de l\u00edmites en el heap en el analizador de metadatos BEXT de WAV que permite a los atacantes desencadenar violaciones de acceso a la memoria al procesar archivos WAV manipulados. Los atacantes pueden explotar un manejo inadecuado de la terminaci\u00f3n nula en el campo de historial de codificaci\u00f3n para causar lecturas fuera de l\u00edmites m\u00e1s all\u00e1 del pool de metadatos asignado, lo que resulta en ca\u00eddas de la aplicaci\u00f3n o denegaci\u00f3n de servicio."}], "lastModified": "2026-03-19T19:26:11.270", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mackron:miniaudio:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "67C8DA11-B9B8-471B-9100-F56B15320D81", "versionEndIncluding": "0.11.25"}], "operator": "OR"}]}], "sourceIdentifier": "disclosure@vulncheck.com"}