CVE-2026-1764
Received Received - Intake
Heap Buffer Overflow in GNOME Localsearch MP3 Extractor

Publication date: 2026-06-16

Last updated on: 2026-06-16

Assigner: Fedora Project

Description
A flaw was found in GNOME localsearch (previously known as tracker-miners) MP3 Extractor. When processing specially crafted MP3 files containing ID3v2.4 tags, a missing bounds check in the `extract_performers_tags` function can lead to a heap buffer overflow. This vulnerability allows a remote attacker to cause a Denial of Service (DoS) by triggering a read of unmapped memory. In some cases, it could also lead to information disclosure by reading visible heap data.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-16
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-1764
EUVD
EUVD-2026-37025
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gnome localsearch to 3.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-1764 is a heap buffer overflow vulnerability found in the GNOME localsearch MP3 Extractor component, specifically in the function that processes ID3v2.4 tags in MP3 files.

The flaw occurs because the function lacks a proper bounds check when reading performer tags, allowing it to read beyond the allocated buffer size.

This can cause the program to read unmapped memory, leading to a crash (Denial of Service) or potentially leaking information from heap memory.

Impact Analysis

This vulnerability can impact you by allowing a remote attacker to cause a Denial of Service (DoS) by crashing the application processing MP3 files.

In some cases, it may also lead to information disclosure, where sensitive data from the heap memory could be read by an attacker.

Detection Guidance

This vulnerability can be detected by testing the GNOME localsearch MP3 Extractor component with specially crafted MP3 files containing malformed ID3v2.4 tags that trigger the heap buffer overflow in the extract_performers_tags function.

A proof-of-concept crash file is available which can be used to reproduce the issue and detect if the system is vulnerable by causing a denial of service (SIGSEGV crash).

While no specific commands are provided, you can attempt to run the vulnerable tracker-extract-mp3 module on suspicious or crafted MP3 files and monitor for crashes or abnormal behavior.

Mitigation Strategies

Immediate mitigation involves updating the GNOME localsearch (tracker-miners) package to a version where the explicit bounds check has been added to the extract_performers_tags function, preventing the heap buffer overflow.

Until an update is applied, avoid processing untrusted or specially crafted MP3 files with ID3v2.4 tags using the vulnerable tracker-extract-mp3 module to reduce the risk of denial of service or information disclosure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1764. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart