CVE-2026-5314Improper Restriction of Operations within the Bounds of a Memory Buffer in STB

CWE-119Improper Restriction of Operations within the Bounds of a Memory BufferCWE-125Out-of-bounds Read8 documents8 sources
Severity
5.3MEDIUMNVD
EPSS
0.0%
top 89.45%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Nothings STB
Timeline
PublishedApr 1
Latest updateApr 2

Description

A vulnerability was found in Nothings stb up to 1.26. Impacted is the function stbtt_InitFont_internal in the library stb_truetype.h of the component TTF File Handler. Performing a manipulation results in out-of-bounds read. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Affected Packages1 packages

CVEListV5nothings/stb27 versions+26

🔴Vulnerability Details

3
GHSA
GHSA-x46x-p265-r7jv: A vulnerability was found in Nothings stb up to 12026-04-02
OSV
CVE-2026-5314: A vulnerability was found in Nothings stb up to 12026-04-01
CVEList
Nothings stb TTF File stb_truetype.h stbtt_InitFont_internal out-of-bounds2026-04-01

📋Vendor Advisories

2
Red Hat
Nothings stb: stb_truetype.h: Nothings stb: Denial of Service via out-of-bounds read in stb_truetype.h2026-04-01
Debian
CVE-2026-5314: libstb - A vulnerability was found in Nothings stb up to 1.26. Impacted is the function s...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-5314 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

1
Bugzilla
CVE-2026-5314 stb: Nothings stb: Denial of Service via out-of-bounds read in stb_truetype.h [epel-all]2026-04-02
CVE-2026-5314 — Nothings STB vulnerability | cvebase