Medium severity6.2NVD Advisory· Published Mar 17, 2026· Updated Apr 27, 2026

CVE-2026-32836

Description

dr_libs dr_flac.h version 0.13.3 and earlier (fixed in commits fefced4, 4f5a4cd, and 663239a) contain an uncontrolled memory allocation vulnerability in drflac__read_and_decode_metadata() that allows attackers to trigger excessive memory allocation by supplying crafted PICTURE metadata blocks. Attackers can exploit attacker-controlled mimeLength and descriptionLength fields to cause denial of service through memory exhaustion when processing FLAC streams with metadata callbacks.

Affected products

Mackron/Dr Libs
cpe:2.3:a:mackron:dr_libs:*:*:*:*:*:*:*:*
Range: <=0.13.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/mackron/dr_libs/issues/298nvdExploitIssue TrackingMitigationVendor Advisory
www.vulncheck.com/advisories/mackron-dr-libs-excessive-memory-allocation-in-picture-metadata-parsingnvdThird Party Advisory
github.com/mackron/dr_libs/commit/4f5a4cd3b57564d969443c580c75857e039f100anvd
github.com/mackron/dr_libs/commit/663239a3d0460c33bd5b6e5166edcb404e3df676nvd
github.com/mackron/dr_libs/commit/fefced4a64adfb1a68a2d31d882366e56096dee8nvd

News mentions

No linked articles in our index yet.

cvss	0.403
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000