| Name | CVE-2026-32836 |
| Description | dr_libs dr_flac.h version 0.13.3 and earlier (fixed in commits fefced4, 4f5a4cd, and 663239a) contain an uncontrolled memory allocation vulnerability in drflac__read_and_decode_metadata() that allows attackers to trigger excessive memory allocation by supplying crafted PICTURE metadata blocks. Attackers can exploit attacker-controlled mimeLength and descriptionLength fields to cause denial of service through memory exhaustion when processing FLAC streams with metadata callbacks. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| libchdr (PTS) | trixie | 0.0~git20240929.aaca599+dfsg-1 | vulnerable |
| forky, sid | 0.3.0+dfsg-1 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| libchdr | source | (unstable) | (unfixed) | | | |
Notes
[trixie] - libchdr <no-dsa> (Minor issue)
qtads, dosbox-x and love bundle a copy, but these are standalone end user apps, so no security impact
https://github.com/mackron/dr_libs/issues/298
https://github.com/mackron/dr_libs/commit/663239a3d0460c33bd5b6e5166edcb404e3df676
https://github.com/mackron/dr_libs/commit/fefced4a64adfb1a68a2d31d882366e56096dee8
https://github.com/mackron/dr_libs/commit/4f5a4cd3b57564d969443c580c75857e039f100a