CVE-2023-26923 – MuseScore 3.0 through 4.0.1 contains a stack bu... (How to Fix)

Q: What is the severity of CVE-2023-26923?

CVE-2023-26923 has a CVSS score of 7.0 (HIGH). MuseScore 3.0 through 4.0.1 contains a stack buffer overflow vulnerability when processing malformed MIDI files. This allows attackers to potentially execute arbitrary code on the system. Users who open untrusted MIDI files with vulnerable MuseScore versions are affected.

📋 TL;DR

MuseScore 3.0 through 4.0.1 contains a stack buffer overflow vulnerability when processing malformed MIDI files. This allows attackers to potentially execute arbitrary code on the system. Users who open untrusted MIDI files with vulnerable MuseScore versions are affected.

💻 Affected Systems

Products:

MuseScore

Versions: 3.0 to 4.0.1

Operating Systems: Windows, macOS, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All installations within affected version range are vulnerable when opening MIDI files.

📦 What is this software?

Musescore by Musescore

View all CVEs affecting Musescore →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crash (denial of service) when opening malicious MIDI files; code execution possible with crafted exploits.

🟢

If Mitigated

No impact if malicious MIDI files are not opened or if application is sandboxed/restricted.

🌐 Internet-Facing: LOW - MuseScore is primarily a desktop application, not typically internet-facing.

🏢 Internal Only: MEDIUM - Risk exists when users open MIDI files from untrusted sources (email, downloads, shared drives).

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires user interaction (opening malicious MIDI file). No public exploit code identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.0.2 and later

Vendor Advisory: https://github.com/musescore/MuseScore/issues/16346

Restart Required: Yes

Instructions:

1. Open MuseScore. 2. Go to Help > Check for Updates. 3. Follow prompts to update to version 4.0.2 or later. 4. Restart MuseScore.

🔧 Temporary Workarounds

Disable MIDI file association

all

Prevent MuseScore from automatically opening MIDI files by changing file associations.

Use application sandboxing

all

Run MuseScore in restricted environment (sandbox) to limit impact of potential exploitation.

🧯 If You Can't Patch

Avoid opening MIDI files from untrusted sources with MuseScore.
Use alternative MIDI viewers/editors for untrusted files.

🔍 How to Verify

Check if Vulnerable:

Check MuseScore version: if between 3.0 and 4.0.1 inclusive, system is vulnerable.

Check Version:

On MuseScore startup screen or via Help > About MuseScore

Verify Fix Applied:

Confirm MuseScore version is 4.0.2 or later.

📡 Detection & Monitoring

Log Indicators:

Application crashes when opening MIDI files
Unexpected process termination

Network Indicators:

N/A - primarily local file exploitation

SIEM Query:

EventID=1000 OR EventID=1001 (Application Error) with process_name='MuseScore' AND file_extension='.mid' OR '.midi'

📊 Metadata

CVE ID: CVE-2023-26923

CVSS v3 Score: 7.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: March 28, 2023

Last Updated: February 18, 2025

🔗 References

https://github.com/musescore/MuseScore/issues/16346 Exploit,Issue Tracking
https://github.com/musescore/MuseScore/issues/16346 Exploit,Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-26923, you might also want to check these: