CVE-2025-14569
Unknown Unknown - Not Provided
Use-After-Free in ggml-org whisper.cpp read_audio_data Function

Publication date: 2025-12-12

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was detected in ggml-org whisper.cpp up to 1.8.2. Affected is the function read_audio_data of the file /whisper.cpp/examples/common-whisper.cpp. The manipulation results in use after free. The attack requires a local approach. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-12
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-12-13
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14569
EUVD
EUVD-2025-203108
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ggml-org whisper.cpp 1.8.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by running the vulnerable whisper-cli tool with AddressSanitizer enabled to catch invalid free operations. Specifically, compiling the software with the '-fsanitize=address' flag on Linux x86_64 systems and then running whisper-cli with a test model and audio file can reproduce the crash caused by the use-after-free. The repro script available in the public exploit repository can be used to verify the issue. There are no network detection commands since the attack requires local access and is triggered by local execution. [3, 4, 1]

Mitigation Strategies

Immediate mitigation steps include avoiding the use of the affected versions of whisper.cpp (up to 1.8.2) and replacing the software with an alternative product, as no patches or fixes have been provided by the developers. Since the vulnerability requires local access and exploitation is straightforward, restricting local access to trusted users and environments can reduce risk. Monitoring for updates or patches from the project is also recommended. [2]

Executive Summary

This vulnerability exists in the ggml-org whisper.cpp project up to version 1.8.2, specifically in the function read_audio_data within the file /whisper.cpp/examples/common-whisper.cpp. It is a use-after-free vulnerability, meaning that the program attempts to use memory after it has been freed, which can lead to undefined behavior or exploitation. The attack requires local access to the system. The vulnerability has a public exploit available, and the project has not yet responded to the issue report.

Impact Analysis

The vulnerability can lead to unauthorized manipulation of the program's behavior due to use-after-free, potentially allowing an attacker with local access to cause crashes, execute arbitrary code, or escalate privileges. This can compromise the confidentiality, integrity, and availability of the affected system or data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14569. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart