CVE-2026-29022 is a heap-based buffer overflow vulnerability identified in the dr_libs open-source audio processing library, specifically within the drwav__read_smpl_to_metadata_obj() function of dr_wav.h. This function is responsible for reading sample metadata from WAV files. The vulnerability stems from inconsistent validation of the sampleLoopCount variable: during the first pass, sampleLoopCount is validated, but in the second pass, the code processes the data unconditionally. This discrepancy allows an attacker to craft a malicious WAV file that causes a heap buffer overflow by overflowing heap allocations with 36 bytes of attacker-controlled data. The overflow occurs when any of the drwav_init_*_with_metadata() functions are called with untrusted input. Exploiting this flaw can lead to memory corruption, which may result in application crashes or potentially arbitrary code execution if exploited in a suitable environment. The vulnerability affects dr_libs version 0.14.4 and earlier and was fixed in a later commit (8a7258c). The CVSS 4.0 base score is 6.8, indicating medium severity, with the attack requiring local access and user interaction but no privileges. No public exploits have been reported yet, but the risk remains for applications that process untrusted WAV files using vulnerable versions of dr_libs.

The primary impact of CVE-2026-29022 is memory corruption via heap buffer overflow, which can cause application instability, crashes, or denial of service. In scenarios where the vulnerable dr_libs library is used in security-critical or network-facing applications that process untrusted WAV files, there is a potential risk of arbitrary code execution, leading to full system compromise. This can affect multimedia applications, audio processing tools, or any software embedding dr_libs for WAV file handling. Organizations relying on dr_libs in their software stack may face risks of exploitation if attackers supply crafted audio files, especially in environments where user interaction is possible. The medium CVSS score reflects the moderate ease of exploitation and the requirement for user interaction, but the potential for high impact on confidentiality, integrity, and availability if exploited successfully. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as proof-of-concept exploits may emerge.

To mitigate CVE-2026-29022, organizations should immediately update dr_libs to the fixed version that includes commit 8a7258c or later. If updating is not immediately feasible, apply any available patches that address the heap overflow in drwav__read_smpl_to_metadata_obj(). Additionally, implement strict input validation and sanitization for all WAV files processed by applications using dr_libs, especially those accepting files from untrusted sources. Employ runtime protections such as heap canaries, address space layout randomization (ASLR), and control flow integrity (CFI) to reduce exploitation impact. Limit user privileges for applications processing audio files to minimize potential damage from exploitation. Monitor for unusual application crashes or behaviors that may indicate attempted exploitation. Finally, consider sandboxing or isolating audio processing components to contain potential compromises.