FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

fluidsynth -- Use after free when using DLS files

Affected packages
fluidsynth < 2.5.2

Details

VuXML ID bf854a37-e180-11f0-ac0c-5404a68ad561
Discovery 2025-12-23
Entry 2025-12-25

The fluidsynth authors report:

A race condition during unloading of a DLS file can trigger a heap-based use-after-free. A concurrently running thread may be pending to unload a DLS file, leading to use of freed memory, if the synthesizer is being concurrently destroyed, or samples of the (unloaded) DLS file are concurrently used to synthesize audio. Realistically, both scenarios will result in a denial of service. In worst cases, it may result in arbitrary code execution in the context of an application using FluidSynth.

[source]

References

CVE Name CVE-2025-68617
URL https://www.cve.org/CVERecord?id=CVE-2025-68617

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.