CVE-2026-5317

Name	CVE-2026-5317
Description	A security flaw has been discovered in Nothings stb up to 1.22. This affects the function start_decoder of the file stb_vorbis.c. The manipulation results in out-of-bounds write. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
libstb (PTS)	bullseye	0.0~git20200713.b42009b+ds-1	vulnerable
	bullseye (security)	0.0~git20200713.b42009b+ds-1+deb11u1	vulnerable
	bookworm	0.0~git20220908.8b5f1f3+ds-1	vulnerable
	trixie	0.0~git20241109.5c20573+ds-1	vulnerable
	forky, sid	0.0~git20250907.fede005+ds-1	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
libstb	source	(unstable)	(unfixed)

[trixie] - libstb <no-dsa> (Minor issue)
[bookworm] - libstb <no-dsa> (Minor issue)
https://github.com/nothings/stb/issues/1928 (issue #15)