Primary

Context

Libsndfile Memory Leak Vulnerability in MP3 Encoder

Vulnerability

A memory leak vulnerability has been identified in libsndfile versions 1.1.0 prior to 1.2.2. The issue arises in the MP3 encoding function 'mpeg_l3_encoder_init' within the 'mpeg_l3_encode.c' file. When the encoder initialization encounters an error, it fails to release allocated resources, leading to a memory leak.

Impact

Exploitation of this vulnerability causes a memory leak in the 'sndfile-convert' utility when processing MP3 files.

Reproduction

The vulnerability can be reproduced by encoding an MP3 file with a sample rate that is not supported by the MPEG-1/2/2.5 standards. This can be done using the 'sndfile-convert' command-line tool included with libsndfile. The AddressSanitizer will report the memory leak, indicating that allocated resources were not properly released due to the error handling in the encoder initialization.

Remediation

This vulnerability has been fixed in the official libsndfile repository.

Added: Jan 14, 2026, 4:00 PM

Updated: Jan 14, 2026, 5:16 PM

Vulnerability Rating

Custom Algorithm

spread

6.6

impact

0.6

exploitability

5.2

remediation

0.0

relevance

2.0

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.6

impact

0.6

exploitability

5.2

remediation

0.0

relevance

2.0

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Libsndfile Memory Leak Vulnerability in MP3 Encoder

Vulnerability

Impact

Reproduction

Remediation

Affected Products

libsndfile

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating