CVE-2025-3409

6.3 MEDIUM

A vulnerability classified as critical has been found in Nothings stb up to f056911

Published: 2025-04-08 · Last updated: 2026-05-19

Severity and scoring

CVSS: 6.3 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
CWE: CWE-119, CWE-121

Affected products

Vendor	Product
nothings	stb_image.h

Description

A vulnerability classified as critical has been found in Nothings stb up to f056911. This affects the function stb_include_string. The manipulation of the argument path_to_includes leads to stack-based buffer overflow. It is possible to initiate the attack remotely. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2025-3409
[Other]https://vuldb.com/?ctiid.303687
[Other]https://vuldb.com/?id.303687
[Other]https://vuldb.com/?submit.544231

Related CVEs

Same vendor

CVE-2025-3408 — A vulnerability was found in Nothings stb up to f056911 (6.3 MEDIUM)
CVE-2025-3407 — A vulnerability was found in Nothings stb up to f056911 (6.3 MEDIUM)
CVE-2025-3406 — A vulnerability was found in Nothings stb up to f056911 (4.3 MEDIUM)

Same CWE

CVE-2026-12330 — Incorrect boundary conditions in the Internationalization component (5.4 MEDIUM)
CVE-2026-12329 — Memory safety bug fixed in Thunderbird ESR 140.12 (5.3 MEDIUM)
CVE-2026-12327 — Memory safety bugs present in Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151 and Thunderbird 151 (7.3 HIGH)
CVE-2026-12326 — Memory safety bugs present in Firefox 151 and Thunderbird 151 (7.3 HIGH)
CVE-2026-12318 — Incorrect boundary conditions in the Libraries component in NSS (7.3 HIGH)