CVE-2026-4009 identifies a vulnerability in the jarikomppa soloud audio library, specifically in the function drwav_read_pcm_frames_s16__msadpcm located in the WAV file parser (src/audiosource/wav/dr_wav.h). The vulnerability is an out-of-bounds read caused by improper bounds checking when processing MS ADPCM encoded WAV files. An attacker with local access can craft malicious WAV files that, when parsed by the vulnerable function, cause the program to read memory outside the intended buffer boundaries. This can lead to application crashes or potentially leak sensitive memory contents. The vulnerability requires local access and limited privileges, does not require user interaction, and does not affect confidentiality, integrity, or availability directly but poses a risk of information disclosure or stability issues. The vulnerability affects versions of soloud up to and including 20200207, with the fixed version being 20200207. The vulnerability was responsibly disclosed but the vendor has not yet responded. No public exploits are known at this time, but the disclosure means attackers could develop exploits. The CVSS 4.8 score reflects medium severity due to the local attack vector and limited impact scope.

The primary impact of CVE-2026-4009 is the potential for local attackers to cause out-of-bounds reads in applications using the vulnerable soloud library for audio processing. This can lead to application crashes, resulting in denial of service or instability in software relying on this library. Additionally, out-of-bounds reads may expose sensitive memory contents, potentially leaking information that could be leveraged in further attacks. Since exploitation requires local access and limited privileges, remote exploitation is not feasible, reducing the overall risk. However, in environments where untrusted users have local access or where malicious files can be introduced locally (e.g., multi-user systems, shared workstations, or developer environments), the vulnerability could be leveraged to disrupt operations or gather sensitive data. Organizations embedding this library in multimedia applications, games, or audio processing tools should be aware of the risk to maintain application stability and data confidentiality.

To mitigate CVE-2026-4009, organizations should upgrade the soloud library to version 20200207 or later, where the vulnerability has been addressed. Developers should audit their use of the soloud library to ensure no legacy or vulnerable versions remain in their software stack. Additionally, implement strict local access controls to limit untrusted users from executing or introducing malicious audio files that could trigger the vulnerability. Employ application whitelisting and file integrity monitoring to detect unauthorized modifications or suspicious files. For environments where upgrading immediately is not feasible, consider sandboxing or isolating applications that process untrusted audio files to contain potential crashes or data leaks. Regularly monitor vendor communications for patches or updates and apply them promptly. Finally, conduct security testing on audio processing components to identify similar vulnerabilities proactively.