CVE-2025-56225
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-56225, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-09

Last updated on: 2026-01-13

Assigner: MITRE

Description

fluidsynth-2.4.6 and earlier versions is vulnerable to Null pointer dereference in fluid_synth_monopoly.c, that can be triggered when loading an invalid midi file.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-09
Last Modified
2026-01-13
Generated
2026-07-06
AI Q&A
2026-01-10
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
fluidsynth fluidsynth to 2.4.6 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2025-56225 is a null pointer dereference vulnerability in FluidSynth version 2.4.6 and earlier. It occurs in the synthesizer's monopoly legato note-on handling function when processing MIDI events. Specifically, if a MIDI channel has no preset assigned, the code attempts to call a function on a null preset pointer, causing a segmentation fault and crashing the program. This can be triggered by loading an invalid MIDI file. [1, 2]

Impact Analysis

This vulnerability can cause FluidSynth to crash with a segmentation fault when processing certain invalid MIDI files, leading to denial of service. If you use FluidSynth in applications that handle MIDI files, an attacker could exploit this to disrupt service or cause instability by providing crafted MIDI input. [1, 2]

Detection Guidance

This vulnerability can be detected by running FluidSynth with specially crafted invalid MIDI files that trigger the null pointer dereference, causing a crash (segmentation fault). Using fuzz testing tools such as AFL++ with AddressSanitizer enabled on a Linux system can help identify the issue. Debugging with GDB can reveal the null preset pointer causing the crash. For detection, you can run FluidSynth with a test MIDI file (e.g., mid_poc1.mid) and observe if the program crashes with a segmentation fault. Example command to run FluidSynth with a test MIDI file: `fluidsynth test.sf2 mid_poc1.mid` and monitor for crashes. [1]

Mitigation Strategies

To mitigate this vulnerability immediately, update FluidSynth to version 2.4 or later where the fix has been merged. The fix prevents spawning noteOn events when no preset is assigned, avoiding the null pointer dereference. If updating is not possible immediately, avoid loading invalid or fuzz-generated MIDI files that could trigger the issue, and monitor FluidSynth usage to detect crashes. Applying the patch from pull request #1607 or upgrading to the fixed release is the recommended mitigation. [2]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-56225. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart