{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5186", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-30T19:18:42.080Z", "datePublished": "2026-03-31T07:30:11.484Z", "dateUpdated": "2026-03-31T15:36:58.990Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-31T07:30:11.484Z"}, "title": "Nothings stb Multi-frame GIF File stb_image.h stbi__load_gif_main double free", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-415", "lang": "en", "description": "Double Free"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-119", "lang": "en", "description": "Memory Corruption"}]}], "affected": [{"vendor": "Nothings", "product": "stb", "versions": [{"version": "2.0", "status": "affected"}, {"version": "2.1", "status": "affected"}, {"version": "2.2", "status": "affected"}, {"version": "2.3", "status": "affected"}, {"version": "2.4", "status": "affected"}, {"version": "2.5", "status": "affected"}, {"version": "2.6", "status": "affected"}, {"version": "2.7", "status": "affected"}, {"version": "2.8", "status": "affected"}, {"version": "2.9", "status": "affected"}, {"version": "2.10", "status": "affected"}, {"version": "2.11", "status": "affected"}, {"version": "2.12", "status": "affected"}, {"version": "2.13", "status": "affected"}, {"version": "2.14", "status": "affected"}, {"version": "2.15", "status": "affected"}, {"version": "2.16", "status": "affected"}, {"version": "2.17", "status": "affected"}, {"version": "2.18", "status": "affected"}, {"version": "2.19", "status": "affected"}, {"version": "2.20", "status": "affected"}, {"version": "2.21", "status": "affected"}, {"version": "2.22", "status": "affected"}, {"version": "2.23", "status": "affected"}, {"version": "2.24", "status": "affected"}, {"version": "2.25", "status": "affected"}, {"version": "2.26", "status": "affected"}, {"version": "2.27", "status": "affected"}, {"version": "2.28", "status": "affected"}, {"version": "2.29", "status": "affected"}, {"version": "2.30", "status": "affected"}], "modules": ["Multi-frame GIF File Handler"]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in Nothings stb up to 2.30. This impacts the function stbi__load_gif_main of the file stb_image.h of the component Multi-frame GIF File Handler. This manipulation causes double free. The attack requires local access. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.3, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4.3, "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-03-30T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-30T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-30T21:23:49.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "d0razi (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/354254", "name": "VDB-354254 | Nothings stb Multi-frame GIF File stb_image.h stbi__load_gif_main double free", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/354254/cti", "name": "VDB-354254 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/780395", "name": "Submit #780395 | nothings stb stb_image.h <= 2.30 Double Free", "tags": ["third-party-advisory"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T15:36:51.290350Z", "id": "CVE-2026-5186", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T15:36:58.990Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5186", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-31T15:36:51.290350Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T15:36:55.641Z"}}], "cna": {"title": "Nothings stb Multi-frame GIF File stb_image.h stbi__load_gif_main double free", "credits": [{"lang": "en", "type": "reporter", "value": "d0razi (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4.3, "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "Nothings", "modules": ["Multi-frame GIF File Handler"], "product": "stb", "versions": [{"status": "affected", "version": "2.0"}, {"status": "affected", "version": "2.1"}, {"status": "affected", "version": "2.2"}, {"status": "affected", "version": "2.3"}, {"status": "affected", "version": "2.4"}, {"status": "affected", "version": "2.5"}, {"status": "affected", "version": "2.6"}, {"status": "affected", "version": "2.7"}, {"status": "affected", "version": "2.8"}, {"status": "affected", "version": "2.9"}, {"status": "affected", "version": "2.10"}, {"status": "affected", "version": "2.11"}, {"status": "affected", "version": "2.12"}, {"status": "affected", "version": "2.13"}, {"status": "affected", "version": "2.14"}, {"status": "affected", "version": "2.15"}, {"status": "affected", "version": "2.16"}, {"status": "affected", "version": "2.17"}, {"status": "affected", "version": "2.18"}, {"status": "affected", "version": "2.19"}, {"status": "affected", "version": "2.20"}, {"status": "affected", "version": "2.21"}, {"status": "affected", "version": "2.22"}, {"status": "affected", "version": "2.23"}, {"status": "affected", "version": "2.24"}, {"status": "affected", "version": "2.25"}, {"status": "affected", "version": "2.26"}, {"status": "affected", "version": "2.27"}, {"status": "affected", "version": "2.28"}, {"status": "affected", "version": "2.29"}, {"status": "affected", "version": "2.30"}]}], "timeline": [{"lang": "en", "time": "2026-03-30T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-03-30T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-03-30T21:23:49.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/354254", "name": "VDB-354254 | Nothings stb Multi-frame GIF File stb_image.h stbi__load_gif_main double free", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/354254/cti", "name": "VDB-354254 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/780395", "name": "Submit #780395 | nothings stb stb_image.h <= 2.30 Double Free", "tags": ["third-party-advisory"]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in Nothings stb up to 2.30. This impacts the function stbi__load_gif_main of the file stb_image.h of the component Multi-frame GIF File Handler. This manipulation causes double free. The attack requires local access. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-415", "description": "Double Free"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-119", "description": "Memory Corruption"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-31T07:30:11.484Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5186", "state": "PUBLISHED", "dateUpdated": "2026-03-31T15:36:58.990Z", "dateReserved": "2026-03-30T19:18:42.080Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-03-31T07:30:11.484Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in Nothings stb up to 2.30. This impacts the function stbi__load_gif_main of the file stb_image.h of the component Multi-frame GIF File Handler. This manipulation causes double free. The attack requires local access. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2026-5186", "lastModified": "2026-03-31T08:15:54.970", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.1, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-31T08:15:54.970", "references": [{"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/780395"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/354254"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/354254/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-415"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.3"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.4"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.5"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.6"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.7"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.8"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.9"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.10"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.11"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.12"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.13"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.14"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.15"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.16"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.17"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.18"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.19"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.20"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.21"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.22"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.23"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.24"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.25"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.26"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.27"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.28"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.29"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.30"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "stb", "source": "cna", "vendor": "Nothings"}, "product": "stb", "vendor": "nothings"}], "analysis": {"en": {"generated_at": "2026-03-31T10:51:46.464194+00:00", "value": {"mitigation_remediation": ["Update the stb library to a patched release that eliminates the double\u2011free condition.", "If an update is unavailable, remove or disable GIF decoding functionality in the affected application to eliminate the vulnerable code path.", "Run applications using the stb library with the least privilege necessary to limit the damage from a potential crash or memory corruption.", "Monitor for abnormal crashes or memory corruption events that may indicate an attempted exploitation."], "summary": {"action": "Apply Patch", "impact": "Local Double\u2011Free Leading to Memory Corruption"}, "threat_synthesis": {"affected_systems": "Any software that incorporates the Nothings stb library version 2.30 or earlier and uses its stb_image.h header to decode GIF images is affected. The bug resides in the header\u2011only implementation, so the issue is present wherever the library is built into an application. No other vendors or product families are listed in the CVE data.", "description_and_impact": "A double\u2011free condition exists in the stb_image.h Multi\u2011frame GIF File Handler of the Nothings stb library. When stbi__load_gif_main processes a crafted GIF file, the same memory block is released twice, corrupting the heap. The CVE details do not indicate that arbitrary code execution is achieved, but the memory corruption could lead to application crashes or instability. The vulnerability is publicly exploitable, as exploit code is available, and requires that the attacker has local access to the target system.", "risk_and_exploitability": "The CVSS v3 base score is 4.8, indicating a moderate severity assessment. No EPSS score is supplied, and the vulnerability is not listed in the CISA KEV catalog. Exploitation necessitates local access and the attacker must supply a malicious GIF file to a running process that uses stbi__load_gif_main. Because public exploit code exists, a local attacker could trigger the double\u2011free, potentially causing a crash or corrupting memory, but there is no evidence of remote exploitation or privilege escalation."}}}}, "created": "2026-03-31T19:56:06.138470+00:00", "updated": "2026-03-31T20:39:24.084264+00:00", "vendors": ["nothings", "nothings$PRODUCT$stb"]}