CVE-2025-56226
published 2026-01-14CVE-2025-56226: Libsndfile <=1.2.2 contains a memory leak vulnerability in the mpeg_l3_encoder_init() function within the mpeg_l3_encode.c file.
PriorityP423medium5.3CVSS 3.1
AVNACLPRNUINSUCNINAL
EPSS
0.31%
22.9th percentile
Libsndfile <=1.2.2 contains a memory leak vulnerability in the mpeg_l3_encoder_init() function within the mpeg_l3_encode.c file.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libsndfile | < libsndfile 1.2.2-4 (forky) | libsndfile 1.2.2-4 (forky) |
| libsndfile_project | libsndfile | >= 0 < 1.2.2-2+deb13u1 | 1.2.2-2+deb13u1 |
| libsndfile_project | libsndfile | >= 0 < 1.2.2-4 | 1.2.2-4 |
| libsndfile_project | libsndfile | 1.1.0 – 1.2.2 | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
osv5.3MEDIUM
vendor_debian5.3MEDIUM
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-84f2-pwrw-r53v: Libsndfile <=1
ghsa_unreviewed·2026-01-14
CVE-2025-56226 [MEDIUM] CWE-401 GHSA-84f2-pwrw-r53v: Libsndfile <=1
Libsndfile <=1.2.2 contains a memory leak vulnerability in the mpeg_l3_encoder_init() function within the mpeg_l3_encode.c file.
OSV
CVE-2025-56226: Libsndfile <=1
osv·2026-01-14·CVSS 5.3
CVE-2025-56226 [MEDIUM] CVE-2025-56226: Libsndfile <=1
Libsndfile <=1.2.2 contains a memory leak vulnerability in the mpeg_l3_encoder_init() function within the mpeg_l3_encode.c file.
Red Hat
libsndfile: memory leak when encoding MP3 files due to an incomplete initialization
vendor_redhat·2026-01-14·CVSS 5.3
CVE-2025-56226 [MEDIUM] CWE-401 libsndfile: memory leak when encoding MP3 files due to an incomplete initialization
libsndfile: memory leak when encoding MP3 files due to an incomplete initialization
Libsndfile <=1.2.2 contains a memory leak vulnerability in the mpeg_l3_encoder_init() function within the mpeg_l3_encode.c file.
A flaw was found in the libsndfile library. This issue occurs when encoding MP3 files. During initialization, when an unsupported sample rate is detected, encoding resources are not released within the error-handling path due to an incomplete initialization, impacting system performance and resulting in a denial of service.
Statement: To exploit this flaw, an attacker needs to be able to process a malicious MP3 file with an application linked to the libsndfile library. Also, the only security impact of this issue is a high consumption of system memory that eventually can cause
Debian
CVE-2025-56226: libsndfile - Libsndfile <=1.2.2 contains a memory leak vulnerability in the mpeg_l3_encoder_i...
vendor_debian·2025·CVSS 5.3
CVE-2025-56226 [MEDIUM] CVE-2025-56226: libsndfile - Libsndfile <=1.2.2 contains a memory leak vulnerability in the mpeg_l3_encoder_i...
Libsndfile <=1.2.2 contains a memory leak vulnerability in the mpeg_l3_encoder_init() function within the mpeg_l3_encode.c file.
Scope: local
bookworm: open
bullseye: resolved
forky: resolved (fixed in 1.2.2-4)
sid: resolved (fixed in 1.2.2-4)
trixie: resolved (fixed in 1.2.2-2+deb13u1)
No detection rules found.
No public exploits indexed.
2026-01-14
Published