Bug 2424793 (CVE-2025-68617)

Summary: CVE-2025-68617 FluidSynth: FluidSynth: Race Condition in DLS Unloading Allows Code Execution and Privilege Escalation
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in FluidSynth, a software synthesizer. This vulnerability involves a race condition that occurs when a DLS (Downloadable Sounds) file is being unloaded. If another process simultaneously tries to unload the same file or use its audio samples, it can lead to a 'use-after-free' error, where the program attempts to access memory that has already been released. This critical issue could allow a local attacker to execute unauthorized code, gain elevated system access, or cause the application to crash, resulting in a denial of service.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2424828, 2424829, 2424831, 2424832, 2424833, 2424834, 2424835    
Bug Blocks:    

Description OSIDB Bzimport 2025-12-23 23:01:33 UTC
FluidSynth is a software synthesizer based on the SoundFont 2 specifications. From versions 2.5.0 to before 2.5.2, a race condition during unloading of a DLS file can trigger a heap-based use-after-free. A concurrently running thread may be pending to unload a DLS file, leading to use of freed memory, if the synthesizer is being concurrently destroyed, or samples of the (unloaded) DLS file are concurrently used to synthesize audio. This issue has been patched in version 2.5.2. The problem will not occur, when explicitly unloading a DLS file (before synth destruction), provided that at the time of unloading, no samples of the respective file are used by active voices. The problem will not occur in versions of FluidSynth that have been compiled without native DLS support.