{"id":"CVE-2026-32837","details":"miniaudio version 0.11.25 and earlier contain a heap out-of-bounds read vulnerability in the WAV BEXT metadata parser that allows attackers to trigger memory access violations by processing crafted WAV files. Attackers can exploit improper null-termination handling in the coding history field to cause out-of-bounds reads past the allocated metadata pool, resulting in application crashes or denial of service.","modified":"2026-04-02T13:30:41.678935Z","published":"2026-03-17T20:16:14.177Z","references":[{"type":"ADVISORY","url":"https://www.vulncheck.com/advisories/mackron-miniaudio-out-of-bounds-read-in-bext-coding-history-parsing"},{"type":"REPORT","url":"https://github.com/mackron/miniaudio/issues/1101"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mackron/miniaudio","events":[{"introduced":"0"},{"last_affected":"9634bedb5b5a2ca38c1ee7108a9358a4e233f14d"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.11.25"}]}}],"versions":["0.11.15","0.11.16","0.11.17","0.11.18","0.11.19","0.11.20","0.11.21","0.11.22","0.11.23","0.11.24","0.11.25"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32837.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}