CVE-2026-32836 is a vulnerability classified under CWE-789 (Uncontrolled Memory Allocation) found in the dr_libs audio processing library developed by mackron. Specifically, the flaw exists in the drflac__read_and_decode_metadata() function, which processes FLAC audio stream metadata. The vulnerability arises because the function does not properly validate the size values of certain metadata fields—mimeLength and descriptionLength—within PICTURE metadata blocks. An attacker can craft a FLAC stream with maliciously large values in these fields, causing the function to allocate an excessive amount of memory. This uncontrolled allocation can exhaust system memory resources, leading to a denial of service condition. The vulnerability affects dr_libs version 0.13.3 and earlier. The CVSS v4.0 base score is 6.9 (medium severity), reflecting that exploitation requires local access (attack vector: local), low complexity, no privileges, no user interaction, and results in high impact on availability. There is no indication that confidentiality or integrity are impacted. No patches or fixes are currently linked, and no exploits have been reported in the wild. The vulnerability is relevant for any application or system that uses dr_libs to process FLAC audio streams, especially where untrusted or user-supplied audio data is handled.

The primary impact of this vulnerability is denial of service through memory exhaustion. Systems or applications using dr_libs to process FLAC audio streams with untrusted metadata could be forced to allocate excessive memory, potentially causing crashes, degraded performance, or system instability. This can disrupt audio processing services, media applications, or any dependent systems, leading to downtime and potential loss of availability. Since exploitation requires local access and no user interaction or privileges, the attack surface is somewhat limited to environments where an attacker can supply or influence FLAC streams processed by vulnerable software. However, in multi-tenant or shared environments, or systems processing user-uploaded audio files, the risk is more significant. There is no evidence of confidentiality or integrity compromise, so data theft or manipulation is not a direct concern. The lack of known exploits reduces immediate risk but does not eliminate the potential for future attacks.

To mitigate this vulnerability, organizations should first identify all systems and applications using dr_libs version 0.13.3 or earlier. Since no official patch is currently linked, consider the following steps: 1) Implement input validation and sanitization on FLAC metadata before processing, specifically verifying the size fields (mimeLength and descriptionLength) to ensure they are within reasonable bounds to prevent excessive allocation. 2) Employ resource limits or quotas on memory usage for processes handling audio streams to contain potential exhaustion. 3) Restrict local access to systems processing FLAC streams to trusted users and environments to reduce the attack surface. 4) Monitor application logs and system metrics for unusual memory usage patterns indicative of exploitation attempts. 5) Engage with the vendor or maintainers of dr_libs for updates or patches addressing this vulnerability. 6) Consider using alternative libraries or updated versions that have addressed this issue once available. 7) Apply defense-in-depth strategies such as sandboxing audio processing components to limit impact of potential exploitation.