#1134888 libstb: CVE-2026-5317

Package:
src:libstb
Source:
src:libstb
Submitter:
Moritz Mühlenhoff
Date:
2026-04-25 11:17:02 UTC
Severity:
normal
Tags:
#1134888#5
Date:
2026-04-25 11:07:29 UTC
From:
To:
Hi,

The following vulnerability was published for libstb.

CVE-2026-5317[0]:
| A security flaw has been discovered in Nothings stb up to 1.22. This
| affects the function start_decoder of the file stb_vorbis.c. The
| manipulation results in out-of-bounds write. The attack may be
| performed from remote. The exploit has been released to the public
| and may be used for attacks. The vendor was contacted early about
| this disclosure but did not respond in any way.

https://github.com/nothings/stb/issues/1928 (issue #15)


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-5317
https://www.cve.org/CVERecord?id=CVE-2026-5317

Please adjust the affected versions in the BTS as needed.