A vulnerability was found in Nothings stb up to f056911. It has been declared as critical. Affected by this vulnerability is the function stbhw_build_tileset_from_image. The manipulation of the argument h_count/v_count leads to out-of-bounds read. The attack can be launched remotely. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way.
https://nvd.nist.gov/vuln/detail/CVE-2025-3407 The disclosure contains very little information and no suggested fix. The values h_count and v_count are not arguments to stbhw_build_tileset_from_image, but local variables. They are produced by stbhw__get_template_info as output parameters based on the contents of an stbhw_config structure, particularly on the num_color array, which is clearly populated based on header data from the image being processed. So it makes sense to believe that a crafted untrusted image might be able to cause an out-of-bounds read. However, the details of how these values are obtained and used are complicated, and no suggested fix or mitigation is currently available, so I’m not planning to attempt a downstream fix. I will monitor https://github.com/nothings/stb/issues/1769 and apply a sensible-looking patch if one appears. In general, upstream has not appeared very interested in security-related reports. Even when straightforward fixes have been available, PR’s have been merged slowly and irregularly. I would therefore expect that there will not be quick upstream action, and any candidate fix would come from the community.