Vulnerability Description
miniaudio version 0.11.25 and earlier (fixed in commits 1df46ae and 1df46ae) contain a heap out-of-bounds read vulnerability in the WAV BEXT metadata parser that allows attackers to trigger memory access violations by processing crafted WAV files. Attackers can exploit improper null-termination handling in the coding history field to cause out-of-bounds reads past the allocated metadata pool, resulting in application crashes or denial of service.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mackron | Miniaudio | <= 0.11.25 |
Related Weaknesses (CWE)
References
- https://github.com/mackron/dr_libs/commit/04e40d66a7ba1632f93ec1328d4b42ad986e3e
- https://github.com/mackron/miniaudio/commit/1df46ae9a0eed5aa9f58b179d2cc4af5d23f
- https://github.com/mackron/miniaudio/issues/1101ExploitIssue TrackingMitigation
- https://www.vulncheck.com/advisories/mackron-miniaudio-out-of-bounds-read-in-bexThird Party Advisory
FAQ
What is CVE-2026-32837?
CVE-2026-32837 is a vulnerability with a CVSS score of 4.0 (MEDIUM). miniaudio version 0.11.25 and earlier (fixed in commits 1df46ae and 1df46ae) contain a heap out-of-bounds read vulnerability in the WAV BEXT metadata parser that allows attackers to trigger memory acc...
How severe is CVE-2026-32837?
CVE-2026-32837 has been rated MEDIUM with a CVSS base score of 4.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-32837?
Check the references section above for vendor advisories and patch information. Affected products include: Mackron Miniaudio.