CVE-2025-56225
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-09

Last updated on: 2026-01-13

Assigner: MITRE

Description
fluidsynth-2.4.6 and earlier versions is vulnerable to Null pointer dereference in fluid_synth_monopoly.c, that can be triggered when loading an invalid midi file.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-09
Last Modified
2026-01-13
Generated
2026-06-16
AI Q&A
2026-01-10
EPSS Evaluated
2026-06-15
NVD
CVE-2025-56225
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fluidsynth fluidsynth to 2.4.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-56225 is a null pointer dereference vulnerability in FluidSynth version 2.4.6 and earlier. It occurs in the synthesizer's monopoly legato note-on handling function when processing MIDI events. Specifically, if a MIDI channel has no preset assigned, the code attempts to call a function on a null preset pointer, causing a segmentation fault and crashing the program. This can be triggered by loading an invalid MIDI file. [1, 2]

Impact Analysis

This vulnerability can cause FluidSynth to crash with a segmentation fault when processing certain invalid MIDI files, leading to denial of service. If you use FluidSynth in applications that handle MIDI files, an attacker could exploit this to disrupt service or cause instability by providing crafted MIDI input. [1, 2]

Detection Guidance

This vulnerability can be detected by running FluidSynth with specially crafted invalid MIDI files that trigger the null pointer dereference, causing a crash (segmentation fault). Using fuzz testing tools such as AFL++ with AddressSanitizer enabled on a Linux system can help identify the issue. Debugging with GDB can reveal the null preset pointer causing the crash. For detection, you can run FluidSynth with a test MIDI file (e.g., mid_poc1.mid) and observe if the program crashes with a segmentation fault. Example command to run FluidSynth with a test MIDI file: `fluidsynth test.sf2 mid_poc1.mid` and monitor for crashes. [1]

Mitigation Strategies

To mitigate this vulnerability immediately, update FluidSynth to version 2.4 or later where the fix has been merged. The fix prevents spawning noteOn events when no preset is assigned, avoiding the null pointer dereference. If updating is not possible immediately, avoid loading invalid or fuzz-generated MIDI files that could trigger the issue, and monitor FluidSynth usage to detect crashes. Applying the patch from pull request #1607 or upgrading to the fixed release is the recommended mitigation. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-56225. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart