CVE-2026-32256 is a vulnerability classified under CWE-835 (Loop with Unreachable Exit Condition) affecting the Borewit music-metadata library, a widely used metadata parser for audio and video files. The flaw exists in the ASF parser's parseExtensionObject() function, where it fails to handle a sub-object with an objectSize of zero properly. When such a crafted ASF Header Extension Object is parsed, the loop intended to process sub-objects does not reach a terminating condition, resulting in an infinite loop. This infinite loop causes the application to hang indefinitely, leading to a denial-of-service (DoS) condition. The vulnerability is exploitable remotely by supplying a malicious ASF media file to any application or service that uses the vulnerable music-metadata versions prior to 11.12.3. The CVSS v3.1 score of 7.5 reflects the high impact on availability, with no impact on confidentiality or integrity, and no privileges or user interaction required. The issue was addressed in version 11.12.3 by adding proper validation and exit conditions to prevent the infinite loop. Although no known exploits have been reported in the wild, the vulnerability poses a significant risk to any system processing untrusted ASF media files using the affected library versions.

The primary impact of CVE-2026-32256 is a denial-of-service condition caused by an infinite loop in the ASF parser of the music-metadata library. Organizations that utilize this library in media processing applications, streaming platforms, content management systems, or any service that parses ASF files may experience application hangs or crashes when processing maliciously crafted media files. This can lead to service outages, degraded user experience, and potential cascading failures in dependent systems. Since the vulnerability can be triggered remotely without authentication or user interaction, attackers can exploit it to disrupt services at scale. This is particularly critical for cloud services, media hosting providers, and any enterprise relying on automated media ingestion pipelines. While confidentiality and integrity are not directly affected, the availability impact can result in operational downtime and increased incident response costs.

To mitigate CVE-2026-32256, organizations should immediately upgrade the Borewit music-metadata library to version 11.12.3 or later, where the infinite loop issue is fixed. For environments where immediate upgrading is not feasible, implement input validation to detect and reject ASF media files with suspicious or zero objectSize sub-objects before parsing. Employ resource usage monitoring and timeouts on media parsing operations to detect and terminate processes that hang or consume excessive CPU cycles. Additionally, sandbox or isolate media parsing components to limit the impact of potential denial-of-service conditions. Regularly audit and update third-party libraries to ensure known vulnerabilities are patched promptly. Finally, consider implementing network-level protections such as rate limiting and filtering to reduce exposure to malicious media file submissions.