CVE-2026-5186Improper Restriction of Operations within the Bounds of a Memory Buffer in STB

CWE-119Improper Restriction of Operations within the Bounds of a Memory BufferCWE-415Double Free6 documents6 sources
Severity
4.8MEDIUMNVD
EPSS
0.0%
top 97.79%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Nothings STB
Timeline
PublishedMar 31

Description

A weakness has been identified in Nothings stb up to 2.30. This impacts the function stbi__load_gif_main of the file stb_image.h of the component Multi-frame GIF File Handler. This manipulation causes double free. The attack requires local access. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Affected Packages1 packages

CVEListV5nothings/stb31 versions+30

🔴Vulnerability Details

3
OSV
CVE-2026-5186: A weakness has been identified in Nothings stb up to 22026-03-31
CVEList
Nothings stb Multi-frame GIF File stb_image.h stbi__load_gif_main double free2026-03-31
GHSA
GHSA-593x-hf83-hmrv: A weakness has been identified in Nothings stb up to 22026-03-31

📋Vendor Advisories

1
Debian
CVE-2026-5186: libstb - A weakness has been identified in Nothings stb up to 2.30. This impacts the func...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-5186 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-5186 — Nothings STB vulnerability | cvebase