CVE-2025-14369
Unknown Unknown - Not Provided
Integer Overflow in dr_flac Audio Decoder Causes DoS

Publication date: 2026-01-20

Last updated on: 2026-01-20

Assigner: CERT/CC

Description
dr_flac, an audio decoder within the dr_libs toolset, contains an integer overflow vulnerability flaw due to trusting the totalPCMFrameCount field from FLAC metadata before calculating buffer size, allowing an attacker with a specially crafted file to perform DoS against programs using the tool.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-20
Last Modified
2026-01-20
Generated
2026-06-16
AI Q&A
2026-01-20
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14369
EUVD
EUVD-2026-3448
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mackron dr_flac *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in dr_flac, an audio decoder within the dr_libs toolset, is an integer overflow flaw caused by trusting the totalPCMFrameCount field from FLAC metadata when calculating buffer size. An attacker can craft a malicious FLAC file with an extremely large totalPCMFrameCount value, causing the program to allocate an excessively large memory buffer. This can lead to denial-of-service (DoS) by crashing or exhausting system resources in programs using dr_flac. [1]

Impact Analysis

If you use software that relies on dr_flac for decoding FLAC audio files, an attacker could exploit this vulnerability by providing a specially crafted FLAC file. This could cause your program to allocate excessive memory, potentially leading to crashes or denial-of-service conditions, disrupting normal operation and availability. [1]

Detection Guidance

Detection of this vulnerability involves identifying programs using the dr_flac decoder from the dr_libs toolset processing specially crafted FLAC files that trigger excessive memory allocation or crashes. Since the issue arises from handling the totalPCMFrameCount field in FLAC metadata, monitoring for crashes or denial-of-service symptoms when decoding FLAC files can be indicative. Specific commands are not provided in the resources, but you can monitor logs for crashes related to audio decoding or use debugging tools to trace memory allocation in applications using dr_flac. Additionally, scanning for the presence of vulnerable versions of dr_libs in your environment can help identify exposure. [1]

Mitigation Strategies

Immediate mitigation steps include updating the dr_flac library to the fixed version that implements dynamic buffer expansion instead of allocating memory based on the totalPCMFrameCount upfront. This update prevents excessive memory allocation from malformed FLAC files and improves robustness. If updating is not immediately possible, avoid processing untrusted or specially crafted FLAC files with vulnerable versions of dr_flac to reduce risk of denial-of-service. Monitoring and restricting input files can serve as a temporary mitigation. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14369. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart