CVE-2025-56225
BaseFortify
Publication date: 2026-01-09
Last updated on: 2026-01-13
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fluidsynth | fluidsynth | to 2.4.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-56225 is a null pointer dereference vulnerability in FluidSynth version 2.4.6 and earlier. It occurs in the synthesizer's monopoly legato note-on handling function when processing MIDI events. Specifically, if a MIDI channel has no preset assigned, the code attempts to call a function on a null preset pointer, causing a segmentation fault and crashing the program. This can be triggered by loading an invalid MIDI file. [1, 2]
How can this vulnerability impact me? :
This vulnerability can cause FluidSynth to crash with a segmentation fault when processing certain invalid MIDI files, leading to denial of service. If you use FluidSynth in applications that handle MIDI files, an attacker could exploit this to disrupt service or cause instability by providing crafted MIDI input. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by running FluidSynth with specially crafted invalid MIDI files that trigger the null pointer dereference, causing a crash (segmentation fault). Using fuzz testing tools such as AFL++ with AddressSanitizer enabled on a Linux system can help identify the issue. Debugging with GDB can reveal the null preset pointer causing the crash. For detection, you can run FluidSynth with a test MIDI file (e.g., mid_poc1.mid) and observe if the program crashes with a segmentation fault. Example command to run FluidSynth with a test MIDI file: `fluidsynth test.sf2 mid_poc1.mid` and monitor for crashes. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, update FluidSynth to version 2.4 or later where the fix has been merged. The fix prevents spawning noteOn events when no preset is assigned, avoiding the null pointer dereference. If updating is not possible immediately, avoid loading invalid or fuzz-generated MIDI files that could trigger the issue, and monitor FluidSynth usage to detect crashes. Applying the patch from pull request #1607 or upgrading to the fixed release is the recommended mitigation. [2]