PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-3406 Nothings CVE debrief

A vulnerability in Nothings stb image library, specifically in the stbhw_build_tileset_from_image function of the Header Array Handler component, allows out-of-bounds read through manipulation of the width argument. The issue affects stb_image.h up to version 2.13 and can be exploited remotely. The vendor uses a rolling release model and did not respond to disclosure attempts.

Vendor
Nothings
Product
stb
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2025-04-08
Original CVE updated
2026-05-19
Advisory published
2025-04-08
Advisory updated
2026-05-19

Who should care

Developers using stb_image.h for image processing, particularly in server-side or networked applications; security teams managing C/C++ dependencies; organizations processing untrusted image uploads

Technical summary

The stbhw_build_tileset_from_image function in Nothings stb image library fails to properly validate the width (w) argument, resulting in an out-of-bounds read condition. This vulnerability exists in the Header Array Handler component and can be triggered remotely when processing crafted image data. The affected product uses a continuous delivery model via rolling release, complicating version-specific patching. The vendor was contacted prior to disclosure but did not respond.

Defensive priority

medium

Recommended defensive actions

  • Review applications using stb_image.h for processing untrusted image data
  • Implement input validation on image dimensions before passing to stbhw_build_tileset_from_image
  • Consider sandboxing image processing operations
  • Monitor for updates from the stb repository despite vendor non-response
  • Apply principle of least privilege to image processing components

Evidence notes

Vulnerability confirmed through NVD analysis with CVSS 4.0 vector. Affected versions identified via CPE criteria. Vendor non-response documented in CNA submission records.

Official resources

2025-04-08