CVE-2025-68617
Unknown Unknown - Not Provided
Use-After-Free Race Condition in FluidSynth DLS Unloading

Publication date: 2025-12-23

Last updated on: 2025-12-23

Assigner: GitHub, Inc.

Description
FluidSynth is a software synthesizer based on the SoundFont 2 specifications. From versions 2.5.0 to before 2.5.2, a race condition during unloading of a DLS file can trigger a heap-based use-after-free. A concurrently running thread may be pending to unload a DLS file, leading to use of freed memory, if the synthesizer is being concurrently destroyed, or samples of the (unloaded) DLS file are concurrently used to synthesize audio. This issue has been patched in version 2.5.2. The problem will not occur, when explicitly unloading a DLS file (before synth destruction), provided that at the time of unloading, no samples of the respective file are used by active voices. The problem will not occur in versions of FluidSynth that have been compiled without native DLS support.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-23
Last Modified
2025-12-23
Generated
2026-05-07
AI Q&A
2025-12-24
EPSS Evaluated
2026-05-05
NVD
CVE-2025-68617
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
fluidsynth fluidsynth 2.5.2
fluidsynth fluidsynth 2.5.0
fluidsynth fluidsynth 2.5.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a race condition in FluidSynth versions 2.5.0 to before 2.5.2 that occurs during the unloading of a DLS file. It can cause a heap-based use-after-free error when a concurrently running thread tries to unload a DLS file while the synthesizer is being destroyed or when samples from the unloaded DLS file are still in use to synthesize audio. This means memory that has already been freed might be accessed, leading to potential crashes or undefined behavior. The issue is fixed in version 2.5.2.


How can this vulnerability impact me? :

This vulnerability can lead to use of freed memory, which may cause application crashes, instability, or potentially allow an attacker to execute arbitrary code or cause denial of service. Since it involves heap-based use-after-free, it can compromise the reliability and security of applications using affected FluidSynth versions, especially in environments where audio synthesis is performed concurrently.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade FluidSynth to version 2.5.2 or later where the issue is patched. Additionally, ensure that when unloading a DLS file before synth destruction, no samples of the respective file are used by active voices. Alternatively, use versions of FluidSynth compiled without native DLS support to avoid the problem.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart