CVE-2025-68617 — Use After Free in Fluidsynth

CWE-416 — Use After Free4 documents4 sources

Severity

7.0HIGHNVD

EPSS

0.0%

top 92.23%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fluidsynth Debian Fluidsynth

Timeline

PublishedDec 23

Description

FluidSynth is a software synthesizer based on the SoundFont 2 specifications. From versions 2.5.0 to before 2.5.2, a race condition during unloading of a DLS file can trigger a heap-based use-after-free. A concurrently running thread may be pending to unload a DLS file, leading to use of freed memory, if the synthesizer is being concurrently destroyed, or samples of the (unloaded) DLS file are concurrently used to synthesize audio. This issue has been patched in version 2.5.2. The problem will n…

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.0 | Impact: 5.9

Affected Packages4 packages

▶debiandebian/fluidsynth< fluidsynth 2.5.2+dfsg-1 (forky)

▶NVDfluidsynth/fluidsynth2.5.0 — 2.5.2

▶Debianfluidsynth/fluidsynth< 2.5.2+dfsg-1

▶CVEListV5fluidsynth/fluidsynth>= 2.5.0, < 2.5.2

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2025-68617: FluidSynth is a software synthesizer based on the SoundFont 2 specifications↗2025-12-23

▶

📋Vendor Advisories

Debian

CVE-2025-68617: fluidsynth - FluidSynth is a software synthesizer based on the SoundFont 2 specifications. Fr...↗2025

▶

🕵️Threat Intelligence

Wiz

CVE-2025-68617 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶