Login Sign Up

CVE-2025-68617

7.0 HIGH

📋 TL;DR

A race condition in FluidSynth versions 2.5.0 to 2.5.1 allows heap-based use-after-free when unloading DLS files concurrently with synthesizer destruction or audio synthesis. This vulnerability could lead to crashes or arbitrary code execution. Systems using FluidSynth with native DLS support are affected.

💻 Affected Systems

Products:
  • FluidSynth
Versions: 2.5.0 to 2.5.1
Operating Systems: All platforms where FluidSynth is installed
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects builds with native DLS support enabled. Versions compiled without DLS support are not vulnerable.

📦 What is this software?

Fluidsynth by Fluidsynth

View all CVEs affecting Fluidsynth →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Arbitrary code execution leading to full system compromise, denial of service, or data corruption.

🟠

Likely Case

Application crash or instability when unloading DLS files during concurrent operations.

🟢

If Mitigated

No impact if DLS files are explicitly unloaded before synth destruction with no active voices using samples.

🌐 Internet-Facing: LOW - FluidSynth is typically used locally for audio processing, not as an internet-facing service.
🏢 Internal Only: MEDIUM - Applications using FluidSynth with DLS support could be vulnerable to local exploitation or crashes.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: HIGH - Requires race condition triggering with specific timing during DLS unloading.

Exploitation requires concurrent thread operations with specific timing conditions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.5.2

Vendor Advisory: https://github.com/FluidSynth/fluidsynth/security/advisories/GHSA-ffw2-xvvp-39ch

Restart Required: Yes

Instructions:

1. Download FluidSynth 2.5.2 from official repository. 2. Compile and install following build instructions. 3. Restart any applications using FluidSynth.

🔧 Temporary Workarounds

Disable DLS support

linux

Recompile FluidSynth without native DLS support to eliminate vulnerability.

./configure --disable-dls
make
sudo make install

Avoid concurrent DLS unloading

all

Ensure DLS files are explicitly unloaded before synth destruction with no active voices using samples.

🧯 If You Can't Patch

  • Isolate applications using FluidSynth to minimize attack surface.
  • Monitor for crashes or abnormal behavior in FluidSynth processes.

🔍 How to Verify

Check if Vulnerable:

Check FluidSynth version and DLS support: fluidsynth --version | grep -E '2\.5\.[01]'

Check Version:

fluidsynth --version

Verify Fix Applied:

Confirm version is 2.5.2 or higher: fluidsynth --version | grep '2\.5\.2'

📡 Detection & Monitoring

Log Indicators:

  • Segmentation fault or crash logs from FluidSynth processes
  • Memory access violation errors

Network Indicators:

  • Not applicable - local vulnerability

SIEM Query:

Process crashes with 'fluidsynth' in command line or error messages containing 'use-after-free' or 'DLS'

📊 Metadata

CVE ID: CVE-2025-68617
CVSS v3 Score: 7.0 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-416
EPSS Score: 0.02% exploit probability (3.5th percentile)
Published: December 23, 2025
Last Updated: January 15, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68617, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)