Primary

Context

FluidSynth Null Pointer Dereference Vulnerability in MIDI File Processing

Vulnerability

Patched

A null pointer dereference vulnerability has been identified in FluidSynth versions through 2.4.6. The issue arises in the 'fluid_synth_monopoly.c' file when the application attempts to process an invalid MIDI file. This vulnerability can lead to a segmentation fault, causing the program to crash.

Impact

Exploitation of this vulnerability causes a segmentation fault, leading to a crash of the FluidSynth application.

Reproduction

The vulnerability can be reproduced by loading an invalid MIDI file into FluidSynth 2.4.6. This can be done by using the FluidSynth command-line interface with the 'test.sf2' SoundFont and the 'mid_poc1.mid' MIDI file, both of which are available in the 'mid_poc.zip' archive.

Remediation

Users can upgrade to FluidSynth version 2.4.7, where this vulnerability has been fixed.

Added: Jan 9, 2026, 4:27 PM

Updated: Jan 9, 2026, 4:28 PM

Vulnerability Rating

Custom Algorithm

spread

4.2

impact

2.5

exploitability

5.6

remediation

7.7

relevance

2.0

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.2

impact

2.5

exploitability

5.6

remediation

7.7

relevance

2.0

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

FluidSynth Null Pointer Dereference Vulnerability in MIDI File Processing

Vulnerability

Impact

Reproduction

Remediation

Affected Products

FluidSynth

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating