CVE-2026-24826: Zombie Vorbis: Resurrecting 2019 Exploits in 2026 via Turso3D

Zombie Vorbis: Resurrecting 2019 Exploits in 2026 via Turso3D

Vulnerability ID: CVE-2026-24826
CVSS Score: 10.0
Published: 2026-01-27

A critical dependency lag vulnerability in the Turso3D engine resurrects a ghostly squad of seven distinct security flaws from 2019. By failing to update the bundled stb_vorbis.h library, the engine exposes users to a CVSS 10.0 cocktail of Remote Code Execution (RCE), Heap Overflows, and Stack Smashing via malicious Ogg Vorbis audio files.

TL;DR

Turso3D bundled an ancient version of stb_vorbis containing seven known critical vulnerabilities. Attackers can achieve RCE by providing a malicious .ogg file. Fix involves updating the header library.

---

⚠️ Exploit Status: POC

Technical Details

• Attack Vector: Local / Network (via File)
• CVSS v4.0: 10.0 (Critical)
• Impact: RCE, DoS, Info Leak
• Main CWE: CWE-787 (Out-of-bounds Write)
• Fix Complexity: Low (Library Update)
• Exploit Status: PoC Available (Historic)

Affected Systems

• Turso3D Game Engine
• Games built with Turso3D < PR #11
• turso3d: < PR #11 (Fixed in: PR #11)

Code Analysis

Commit: PR-11

Merge request applying upstream stb_vorbis security fixes

Exploit Details

• GitHub (Historic): Original PoCs for CVE-2019-13217 et al.

Mitigation Strategies

• Vendor dependency audit
• Input validation for binary assets
• Use of memory-safe languages for parsers where possible

Remediation Steps:

1. Navigate to ThirdParty/STB/ in the source tree.
2. Replace stb_vorbis.h with the latest version from the upstream nothings/stb repository.
3. Recompile the application.
4. Verify the patch by attempting to load the PoC Ogg files.

References

• NVD Record
• Upstream Fix Commit

---

Read the full report for CVE-2026-24826 on our website for more details including interactive diagrams and full exploit analysis.