CVE-2026-32837 is a heap out-of-bounds read vulnerability identified in the mackron miniaudio library, version 0.11.25 and earlier. The flaw exists in the WAV BEXT metadata parser, specifically due to improper handling of null termination in the coding history field. When miniaudio processes a crafted WAV file containing malformed BEXT metadata, it fails to properly null-terminate strings, leading to reads beyond the allocated memory buffer. This results in heap out-of-bounds reads, which can cause application instability or crashes, effectively leading to denial of service conditions. The vulnerability is classified under CWE-170 (Improper Null Termination). Exploitation does not require privileges, user interaction, or network access beyond local file processing, limiting the attack vector primarily to scenarios where untrusted WAV files are processed. There are no known public exploits or patches available at the time of publication. The CVSS 4.0 base score is 5.1, reflecting medium severity due to local attack vector and limited impact scope. The flaw highlights the importance of robust input validation and memory safety in audio processing libraries, especially those handling complex metadata structures.

The primary impact of CVE-2026-32837 is denial of service through application crashes caused by heap out-of-bounds reads when processing maliciously crafted WAV files. For organizations relying on miniaudio for audio playback, editing, or processing, this could lead to service interruptions or application instability. While the vulnerability does not allow code execution or privilege escalation, denial of service can disrupt audio-dependent workflows, potentially affecting multimedia applications, games, or embedded systems using miniaudio. The risk is higher in environments where untrusted or user-supplied audio files are processed without validation. Since exploitation requires local file access, remote exploitation is unlikely unless combined with other vulnerabilities or social engineering. The absence of known exploits reduces immediate risk, but the vulnerability remains a concern for software supply chain security and application robustness.

1. Avoid processing untrusted or unauthenticated WAV files with affected versions of miniaudio until a patch is released. 2. Implement strict input validation and sanitization for WAV BEXT metadata fields, especially the coding history string, to ensure proper null termination before parsing. 3. Employ memory-safe wrappers or sandboxing techniques around audio processing components to contain potential crashes and prevent broader application impact. 4. Monitor official mackron miniaudio repositories and security advisories for patches or updates addressing this vulnerability and apply them promptly. 5. Consider using alternative audio libraries with robust security track records if immediate patching is not feasible. 6. Incorporate fuzz testing and static analysis tools focused on metadata parsing to detect similar vulnerabilities proactively in audio processing code.