CVE-2026-29022

Name of the Vulnerable Software and Affected Versions dr libs versions prior to the commit 8a7258c

Description The software contains a heap buffer overflow in the drwav read smpl to metadata obj() function within dr wav.h. This allows for memory corruption through specially crafted WAV files. A discrepancy exists between sample loop count validation during the first pass and its unconditional processing in the second pass, enabling an overflow of heap allocations with 36 bytes of attacker-controlled data when using any drwav init * with metadata() call on untrusted input.

Recommendations Update to a version after commit 8a7258c.