CVE-2021-21417

HIGH

fluidsynth < 2.1.8 - Use-After-Free via Invalid SoundFont File

Title source: llm
STIX 2.1

Description

fluidsynth is a software synthesizer based on the SoundFont 2 specifications. A use after free violation was discovered in fluidsynth, that can be triggered when loading an invalid SoundFont file.

References (4)

Core 4
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/FluidSynth/fluidsynth/issues/808
Exploit, Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://github.com/FluidSynth/fluidsynth/pull/810
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/06/msg00027.html

Scores

CVSS v3 7.2
EPSS 0.0094
EPSS Percentile 56.6%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

Details

CWE
CWE-416
Status published
Products (2)
debian/debian_linux 9.0
fluidsynth/fluidsynth < 2.1.8
Published Apr 29, 2021
Tracked Since Feb 18, 2026