Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Let me supply the details that are missing here. The CVE report is here: https://www.cve.org/CVERecord?id=CVE-2026-29022 The bug is in dr_wav, and is fixed in 0.14.5 via https://github.com/mackron/dr_libs/commit/8a7258cc66b49387ad58cc5b81568982a3560d49. Unfortunately, the bundled dr_wav here is 0.13.11, and there are significant API changes in all three dr_* libs from dr_flac 0.12.x to 0.13.x, dr_mp3 0.6.x to 0.7.x, and dr_wav 0.13.x. If I remember correctly, this is why dosbox-staging is bundling dr_libs rather than using the system package. I found that the fix for this particular issue was easy enough to cherry-pick to dr_wav 0.13.17, at least; see https://src.fedoraproject.org/rpms/dr_libs/c/0ee60144d4480605bb152bd6094680630775b98a?branch=f42. I just had to omit the version number and changelog parts of the diff. So you could, if you like, try using that as a downstream patch for your bundled dr_wav header. This is not the only potentially security-relevant issue fixed since dr_flac 0.12.x / dr_mp3 0.6.x / dr_wav 0.13.x. It is just the only one that has been assigned a CVE, as far as I know. In the long run, dosbox-staging upstream ought to be encouraged to upgrade their vendored dr_libs headers and fix any API incompatibilities with the latest versions.