{"id":"CVE-2026-29022","details":"dr_libs dr_wav.h version 0.14.4 and earlier (fixed in commit 8a7258c) contain a heap buffer overflow vulnerability in the drwav__read_smpl_to_metadata_obj() function of dr_wav.h that allows memory corruption via crafted WAV files. Attackers can exploit a mismatch between sampleLoopCount validation in pass 1 and unconditional processing in pass 2 to overflow heap allocations with 36 bytes of attacker-controlled data through any drwav_init_*_with_metadata() call on untrusted input.","modified":"2026-04-12T20:28:23.062876Z","published":"2026-03-03T20:16:49.433Z","references":[{"type":"ADVISORY","url":"https://www.vulncheck.com/advisories/mackron-dr-libs-heap-buffer-overflow-via-wav-file"},{"type":"FIX","url":"https://github.com/mackron/dr_libs/issues/296"},{"type":"FIX","url":"https://github.com/mackron/dr_libs/commit/8a7258cc66b49387ad58cc5b81568982a3560d49"},{"type":"EVIDENCE","url":"https://github.com/marlinkcyber/advisories/blob/main/advisories/MCSAID-2026-001-dr-libs-heap-overflow.md"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mackron/dr_libs","events":[{"introduced":"0"},{"last_affected":"86cc48cbfd981fa00ea94905ac9d6df4b18d4e59"},{"fixed":"8a7258cc66b49387ad58cc5b81568982a3560d49"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.14.4"}]}}],"versions":["flac-0.12.43","flac-0.13.0","flac-0.13.1","flac-0.13.2","flac-0.13.3","mp3-0.6.40","mp3-0.7.0","mp3-0.7.1","mp3-0.7.2","mp3-0.7.3","wav-0.13.17","wav-0.14.0","wav-0.14.1","wav-0.14.2","wav-0.14.3","wav-0.14.4"],"database_specific":{"vanir_signatures":[{"signature_type":"Function","deprecated":false,"target":{"function":"drwav__read_smpl_to_metadata_obj","file":"dr_wav.h"},"signature_version":"v1","source":"https://github.com/mackron/dr_libs/commit/8a7258cc66b49387ad58cc5b81568982a3560d49","digest":{"length":2391,"function_hash":"274369362393551192513363769171209288243"},"id":"CVE-2026-29022-fce3f2cc"},{"signature_type":"Line","deprecated":false,"target":{"file":"dr_wav.h"},"signature_version":"v1","source":"https://github.com/mackron/dr_libs/commit/8a7258cc66b49387ad58cc5b81568982a3560d49","digest":{"line_hashes":["156795787947303449052969177408990759377","59291680430260035811927451671464663129","228646447708251646692394864719693196134","158979362182074801015321575016085867557","173586220997624508417669118978994880442","91942019853083460248550813309024703446","142159905643640360312427245440674607226","112790070828669043927775556278995618390","174212771834172706152907015960890894677","260501320710546516656083547975678066426","323060563103988631367845787923048641418","322343670201188098949562074664305590200","10465561640976524446552361072942782589","227512529262938785102389554125723867218","69386179624840899124734532474254819571","119763434519947992881935478934869808017"],"threshold":0.9},"id":"CVE-2026-29022-fed86f9c"}],"vanir_signatures_modified":"2026-04-12T20:28:23Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-29022.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}