Medium severity4.3NVD Advisory· Published Apr 1, 2026· Updated Apr 30, 2026

CVE-2026-5314

Description

A vulnerability was found in Nothings stb up to 1.26. Impacted is the function stbtt_InitFont_internal in the library stb_truetype.h of the component TTF File Handler. Performing a manipulation results in out-of-bounds read. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected products

Nothings/Stb Truetype.h
cpe:2.3:a:nothings:stb_truetype.h:*:*:*:*:*:*:*:*
Range: <=1.26

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

gist.github.com/d0razi/cb31a92f3205a4373f19b7da25946848nvdExploitThird Party Advisory
vuldb.com/submit/780558nvdThird Party AdvisoryVDB Entry
vuldb.com/vuln/354646nvdThird Party AdvisoryVDB Entry
vuldb.com/vuln/354646/ctinvdPermissions RequiredVDB Entry

News mentions

No linked articles in our index yet.

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000