PT-2025-52858 · Unknown+1 · Fluidsynth+1

Derselbst

Published

2025-12-23

Updated

2026-01-05

CVE-2025-68617

CVSS v3.1

7.0

High

Vector

AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions FluidSynth versions 2.5.0 through 2.5.1

Description FluidSynth, a software synthesizer based on the SoundFont 2 specifications, contains a flaw. A race condition during the unloading of a DLS file can lead to a heap-based use-after-free. This occurs when a thread is waiting to unload a DLS file while the synthesizer is being destroyed or samples from the DLS file are being used for audio synthesis. The issue does not occur when explicitly unloading a DLS file before synthesizer destruction, provided no samples are actively used. It also does not occur in builds without native DLS support.

Recommendations Update to version 2.5.2 or later.

Exploit

Fix

Use After Free

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-416

Related Identifiers

CVE-2025-68617

GHSA-FFW2-XVVP-39CH

OPENSUSE-SU-2026:10004-1

Affected Products

Debian

Fluidsynth

PT-2025-52858 · Unknown+1 · Fluidsynth+1

CVE-2025-68617

Weakness Enumeration

Related Identifiers

Affected Products

References · 20