Zefie

**Name of the Vulnerable Software and Affected Versions** FluidSynth versions 2.5.0 through 2.5.1 **Description** FluidSynth, a software synthesizer based on the SoundFont 2 specifications, contains a flaw. A race condition during the unloading of a DLS file can lead to a heap-based use-after-free. This occurs when a thread is waiting to unload a DLS file while the synthesizer is being destroyed or samples from the DLS file are being used for audio synthesis. The issue does not occur when explicitly unloading a DLS file before synthesizer destruction, provided no samples are actively used. It also does not occur in builds without native DLS support. **Recommendations** Update to version 2.5.2 or later.