CVE-2026-32837
MediumCVSS 4.0Exploitation Probability (EPSS)
Low risk14th percentile - higher than 14% of all known CVEs
Summary
In miniaudio version 0.11.25 and earlier, a heap out-of-bounds read vulnerability exists in the WAV BEXT metadata parser. Improper null-termination handling in the coding history field can cause memory access violations.
Risk Assessment
An attacker can exploit this by providing a crafted WAV file, potentially causing application crashes or denial of service (DoS).
Recommendation
Immediately update miniaudio to a version containing the fix (commit 1df46ae) or later.
Original NVD description (English source)
miniaudio version 0.11.25 and earlier (fixed in commits 1df46ae and 1df46ae) contain a heap out-of-bounds read vulnerability in the WAV BEXT metadata parser that allows attackers to trigger memory access violations by processing crafted WAV files. Attackers can exploit improper null-termination handling in the coding history field to cause out-of-bounds reads past the allocated metadata pool, resulting in application crashes or denial of service.

