{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32837", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-03-16T18:11:41.757Z", "datePublished": "2026-03-17T19:10:06.080Z", "dateUpdated": "2026-03-17T19:59:38.500Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-17T19:10:06.080Z"}, "title": "mackron / miniaudio Out-of-Bounds Read in BEXT Coding History Parsing", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-170", "description": "CWE-170 Improper null termination", "type": "CWE"}]}], "affected": [{"vendor": "mackron", "product": "miniaudio", "repo": "https://github.com/mackron/miniaudio", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "0.11.25", "versionType": "semver"}], "defaultStatus": "unknown"}], "descriptions": [{"lang": "en", "value": "miniaudio version 0.11.25 and earlier contain a heap out-of-bounds read vulnerability in the WAV BEXT metadata parser that allows attackers to trigger memory access violations by processing crafted WAV files. Attackers can exploit improper null-termination handling in the coding history field to cause out-of-bounds reads past the allocated metadata pool, resulting in application crashes or denial of service.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "miniaudio version 0.11.25 and earlier contain a heap out-of-bounds read vulnerability in the WAV BEXT metadata parser that allows attackers to trigger memory access violations by processing crafted WAV files. Attackers can exploit improper null-termination handling in the coding history field to cause out-of-bounds reads past the allocated metadata pool, resulting in application crashes or denial of service."}]}], "references": [{"url": "https://github.com/mackron/miniaudio/issues/1101", "tags": ["issue-tracking"]}, {"url": "https://www.vulncheck.com/advisories/mackron-miniaudio-out-of-bounds-read-in-bext-coding-history-parsing", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"}}], "credits": [{"lang": "en", "value": "Ana Kapulica", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-17T19:53:12.862725Z", "id": "CVE-2026-32837", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T19:59:38.500Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32837", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-17T19:53:12.862725Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T19:59:34.348Z"}}], "cna": {"title": "mackron / miniaudio Out-of-Bounds Read in BEXT Coding History Parsing", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Ana Kapulica"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.1, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/mackron/miniaudio", "vendor": "mackron", "product": "miniaudio", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "0.11.25"}], "defaultStatus": "unknown"}], "references": [{"url": "https://github.com/mackron/miniaudio/issues/1101", "tags": ["issue-tracking"]}, {"url": "https://www.vulncheck.com/advisories/mackron-miniaudio-out-of-bounds-read-in-bext-coding-history-parsing", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 1.0.0"}, "descriptions": [{"lang": "en", "value": "miniaudio version 0.11.25 and earlier contain a heap out-of-bounds read vulnerability in the WAV BEXT metadata parser that allows attackers to trigger memory access violations by processing crafted WAV files. Attackers can exploit improper null-termination handling in the coding history field to cause out-of-bounds reads past the allocated metadata pool, resulting in application crashes or denial of service.", "supportingMedia": [{"type": "text/html", "value": "miniaudio version 0.11.25 and earlier contain a heap out-of-bounds read vulnerability in the WAV BEXT metadata parser that allows attackers to trigger memory access violations by processing crafted WAV files. Attackers can exploit improper null-termination handling in the coding history field to cause out-of-bounds reads past the allocated metadata pool, resulting in application crashes or denial of service.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-170", "description": "CWE-170 Improper null termination"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-17T19:10:06.080Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32837", "state": "PUBLISHED", "dateUpdated": "2026-03-17T19:59:38.500Z", "dateReserved": "2026-03-16T18:11:41.757Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-03-17T19:10:06.080Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mackron:miniaudio:*:*:*:*:*:*:*:*", "matchCriteriaId": "67C8DA11-B9B8-471B-9100-F56B15320D81", "versionEndIncluding": "0.11.25", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "miniaudio version 0.11.25 and earlier contain a heap out-of-bounds read vulnerability in the WAV BEXT metadata parser that allows attackers to trigger memory access violations by processing crafted WAV files. Attackers can exploit improper null-termination handling in the coding history field to cause out-of-bounds reads past the allocated metadata pool, resulting in application crashes or denial of service."}, {"lang": "es", "value": "miniaudio versi\u00f3n 0.11.25 y anteriores contienen una vulnerabilidad de lectura fuera de l\u00edmites en el heap en el analizador de metadatos BEXT de WAV que permite a los atacantes desencadenar violaciones de acceso a la memoria al procesar archivos WAV manipulados. Los atacantes pueden explotar un manejo inadecuado de la terminaci\u00f3n nula en el campo de historial de codificaci\u00f3n para causar lecturas fuera de l\u00edmites m\u00e1s all\u00e1 del pool de metadatos asignado, lo que resulta en ca\u00eddas de la aplicaci\u00f3n o denegaci\u00f3n de servicio."}], "id": "CVE-2026-32837", "lastModified": "2026-03-19T19:26:11.270", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-03-17T20:16:14.177", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory", "Mitigation"], "url": "https://github.com/mackron/miniaudio/issues/1101"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/mackron-miniaudio-out-of-bounds-read-in-bext-coding-history-parsing"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-170"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{"bugzilla": {"description": "miniaudio: miniaudio: Denial of Service via crafted WAV files due to heap out-of-bounds read", "id": "2448445", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448445"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-170", "details": ["A flaw was found in miniaudio. An attacker can exploit a heap out-of-bounds read vulnerability in the WAV BEXT metadata parser by processing a specially crafted WAV file. This vulnerability, caused by improper null-termination handling in the coding history field, allows for out-of-bounds reads past the allocated metadata pool. Successful exploitation can lead to application crashes or a denial of service."], "name": "CVE-2026-32837", "public_date": "2026-03-17T19:10:06Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-32837\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-32837\nhttps://github.com/mackron/miniaudio/issues/1101\nhttps://www.vulncheck.com/advisories/mackron-miniaudio-out-of-bounds-read-in-bext-coding-history-parsing"], "statement": "This MODERATE vulnerability affects miniaudio and imhex in Red Hat Community Projects. A heap out-of-bounds read in the WAV BEXT parser is triggered by processing crafted WAV files. Exploitation requires user interaction to open the malicious file (UI:R) and local access. Impact is limited to availability through application crashes.", "threat_severity": "Moderate"}