Fluid Attacks Database

Description

miniaudio version 0.11.25 and earlier (fixed in commits 1df46ae and 1df46ae) contain a heap out-of-bounds read vulnerability in the WAV BEXT metadata parser that allows attackers to trigger memory access violations by processing crafted WAV files. Attackers can exploit improper null-termination handling in the coding history field to cause out-of-bounds reads past the allocated metadata pool, resulting in application crashes or denial of service.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	miniaudio	=0.11.22+dfsg-1 \|\| =0.11.23+dfsg-1 \|\| >=0 <0.11.25+dfsg-1	0.11.25+dfsg-1
debian 13	miniaudio	=0.11.22+dfsg-1 \|\| =0.11.23+dfsg-1 \|\| =0.11.25+dfsg-1	-

Aliases

1. CVE-2026-328372. NVD-2026-328373. OSV-DEBIAN-2026-328374. OSV-2026-328375. SECURITY-TRACKER-CVE-2026-32837

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.