CVE-2026-15276
Deferred Deferred - Pending Action

Denial of Service in Symphonia via Metadata Handler

Vulnerability report for CVE-2026-15276, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-10

Assigner: VulDB

Description

A flaw has been found in pdeljanov Symphonia up to 0.6.0. This vulnerability affects unknown code of the component Metadata Handler. This manipulation causes denial of service. The attack needs to be launched locally. The exploit has been published and may be used. The pull request to fix this issue awaits acceptance.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
pdeljanov symphonia to 0.6.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-404 The product does not release or incorrectly releases a resource before it is made available for re-use.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

The vulnerability requires local access to be exploited and causes a denial of service in the Metadata Handler component of pdeljanov Symphonia up to version 0.6.0.

Immediate mitigation steps include restricting local access to trusted users only and monitoring for any unusual local activity that could trigger the vulnerability.

Since a fix is pending acceptance in a pull request, applying the patch once it is officially released is recommended.

Executive Summary

This vulnerability is a flaw found in the Metadata Handler component of pdeljanov Symphonia versions up to 0.6.0. It allows an attacker with local access to manipulate the component in a way that causes a denial of service (DoS). The exploit for this vulnerability has been published, and a fix is pending acceptance.

Impact Analysis

The impact of this vulnerability is a denial of service condition, which means that an attacker with local access can cause the affected software to become unavailable or stop functioning properly. This could disrupt normal operations or services relying on pdeljanov Symphonia.

Compliance Impact

The vulnerability causes a denial of service through local manipulation of the Metadata Handler component in pdeljanov Symphonia up to version 0.6.0.

There is no information provided about any impact on data confidentiality, integrity, or availability beyond denial of service, nor any direct relation to compliance with standards such as GDPR or HIPAA.

Therefore, based on the available information, it is not possible to determine how this vulnerability affects compliance with common standards and regulations.

Detection Guidance

This vulnerability involves multiple length-prefix-overflow issues in the symphonia-metadata library affecting audio metadata parsing for formats such as Vorbis, FLAC, and ID3v2. Detection involves identifying attempts to process maliciously crafted audio files that trigger out-of-memory conditions or crashes.

Since the attack requires local execution and is triggered by processing specially crafted audio files, detection can focus on monitoring the use of Symphonia's audio decoding functions, such as rodio::Decoder::new or symphonia::default::get_probe().format(...), for abnormal crashes or resource exhaustion.

No specific network detection commands are provided, but you can detect exploitation attempts by monitoring logs or system behavior for crashes or denial of service when processing audio files with Symphonia.

For practical detection, you might run tests with known proof-of-concept (PoC) files (as small as 21 bytes) that trigger the vulnerability, or use fuzzing tools against the metadata parsers to identify crashes.

No explicit command-line commands are provided in the resources, but monitoring application logs, using debugging tools to trace crashes, or employing fuzz testing on audio metadata parsing are recommended approaches.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15276. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart