CVE-2026-5314

MediumPublic PoC

Published: 01 April 2026

Published

01 April 2026

Modified

30 April 2026

KEV Added

—

Patch

—

CVSS Score 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

EPSS Score 0.0014 33.2th percentile

Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was found in Nothings stb up to 1.26. Impacted is the function stbtt_InitFont_internal in the library stb_truetype.h of the component TTF File Handler. Performing a manipulation results in out-of-bounds read. Remote exploitation of the attack is possible. The…

exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely identification, reporting, and correction of flaws like the out-of-bounds read in stb_truetype.h to prevent exploitation of CVE-2026-5314.

SI-16 Memory Protection good match

prevent

Implements memory protection safeguards that mitigate out-of-bounds read vulnerabilities by preventing unauthorized memory access and exploitation leading to denial-of-service.

SI-10 Information Input Validation partial match

prevent

Requires validation of TTF file inputs to the stbtt_InitFont_internal function, reducing the risk of malformed files triggering the out-of-bounds read.

Security SummaryAI

CVE-2026-5314 is an out-of-bounds read vulnerability affecting Nothings stb single-header library versions up to 1.26. The issue resides in the stbtt_InitFont_internal function within the stb_truetype.h library, part of the TTF File Handler component. Manipulation of a TTF file triggers the out-of-bounds read, as documented with CWEs-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-125 (Out-of-bounds Read).

Remote attackers can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) but user interaction (UI:R), unchanged scope (S:U), no confidentiality or integrity impact (C:N/I:N), and low availability impact (A:L), yielding a CVSS v3.1 base score of 4.3. Exploitation causes a denial-of-service condition through memory corruption, and a public exploit is available for potential use by unauthenticated attackers.

Advisories and details are provided in references including a GitHub gist at https://gist.github.com/d0razi/cb31a92f3205a4373f19b7da25946848 containing the exploit, along with VulDB entries at https://vuldb.com/submit/780558, https://vuldb.com/vuln/354646, and https://vuldb.com/vuln/354646/cti. The vendor was contacted early for disclosure but provided no response, with no patches or official mitigations noted.

The exploit has been publicly disclosed and could be used, published on 2026-04-01.

Details

CWE(s): CWE-119 CWE-125

Affected Products

nothings

stb truetype.h

≤ 1.26

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Out-of-bounds read in TTF file handler leads to denial-of-service via memory corruption, directly enabling application exploitation for endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://gist.github.com/d0razi/cb31a92f3205a4373f19b7da25946848
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/submit/780558
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/vuln/354646
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/vuln/354646/cti
Permissions Required, VDB Entry · cna@vuldb.com