CVE-2025-68617

low-risk

Published 2025-12-23

FluidSynth is a software synthesizer based on the SoundFont 2 specifications. From versions 2.5.0 to before 2.5.2, a race condition during unloading of a DLS file can trigger a heap-based use-after-free. A concurrently running thread may be pending to unload a DLS file, leading to use of freed memory, if the synthesizer is being concurrently destroyed, or samples of the (unloaded) DLS file are concurrently used to synthesize audio. This issue has been patched in version 2.5.2. The problem will not occur, when explicitly unloading a DLS file (before synth destruction), provided that at the time of unloading, no samples of the respective file are used by active voices. The problem will not occur in versions of FluidSynth that have been compiled without native DLS support.

Do I need to act?

0.02% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.0/10 High

LOCAL / HIGH complexity

Affected Products (1)

Fluidsynth

Affected Vendors

Fluidsynth

References (7)

Patch https://github.com/FluidSynth/fluidsynth/commit/685e54cdc44911ace31774260bd0c9ec...

Patch https://github.com/FluidSynth/fluidsynth/commit/962b9946b5cb6b16f0c08b89dd1b7016...

Exploit https://github.com/FluidSynth/fluidsynth/issues/1717

Issue Tracking https://github.com/FluidSynth/fluidsynth/issues/1728

Vendor Advisory https://github.com/FluidSynth/fluidsynth/security/advisories/GHSA-ffw2-xvvp-39ch

Exploit https://github.com/FluidSynth/fluidsynth/issues/1717

Issue Tracking https://github.com/FluidSynth/fluidsynth/issues/1728

/ 100

low-risk

Severity 18/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal