CVE-2026-5315

MediumPublic PoC

Published: 02 April 2026

Published

02 April 2026

Modified

30 April 2026

KEV Added

—

Patch

—

CVSS Score 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

EPSS Score 0.0014 33.2th percentile

Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was determined in Nothings stb up to 1.26. The affected element is the function stbtt__buf_get8 in the library stb_truetype.h of the component TTF File Handler. Executing a manipulation can lead to out-of-bounds read. The attack can be executed…

remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely remediation of identified flaws, directly addressing the unpatched out-of-bounds read vulnerability in the stb library by mandating updates, replacements, or alternative mitigations.

SI-16 Memory Protection good match

prevent

SI-16 implements memory protection safeguards such as ASLR and DEP that prevent exploitation of out-of-bounds read vulnerabilities like the one in stbtt__buf_get8.

SI-10 Information Input Validation partial match

prevent

SI-10 enforces input validation to reject malformed TTF files, reducing the likelihood of triggering the out-of-bounds read in the stb TTF parser.

Security SummaryAI

CVE-2026-5315 is an out-of-bounds read vulnerability affecting Nothings' stb library up to version 1.26. The issue resides in the stbtt__buf_get8 function within the stb_truetype.h file of the TTF File Handler component. It is classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-125 (Out-of-bounds Read), with a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L).

The vulnerability enables remote exploitation without requiring attacker privileges, though it demands user interaction. An attacker can craft a malicious TTF file that, when processed by an affected application using the stb library, triggers the out-of-bounds read, potentially resulting in a low-impact denial of service such as application crashes.

Advisories from VulDB indicate that the vendor was contacted early about the disclosure but provided no response, and no patches or mitigations have been issued. An exploit has been publicly disclosed via a GitHub Gist.

The exploit's public availability increases the risk of utilization in targeted attacks against applications relying on stb for TTF parsing.

Details

CWE(s): CWE-119 CWE-125

Affected Products

nothings

stb truetype.h

≤ 1.26

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Out-of-bounds read vulnerability exploitable via malicious TTF files causes application crashes (DoS), directly enabling application exploitation for endpoint denial of service.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://gist.github.com/d0razi/c11dd07c75f3b795e4f8bbfd6e2f0d29
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/submit/780559
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/vuln/354647
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/vuln/354647/cti
Permissions Required, VDB Entry · cna@vuldb.com