Race Condition Vulnerability in FluidSynth Software Synthesizer
CVE-2025-68617

7HIGH

Key Information:

Vendor

Fluidsynth

Status
Fluidsynth
Vendor
CVE Published:
23 December 2025

What is CVE-2025-68617?

FluidSynth, a software synthesizer compliant with SoundFont 2 specifications, is susceptible to a race condition affecting the unloading of DLS files. In versions ranging from 2.5.0 to before 2.5.2, this vulnerability can result in a heap-based use-after-free error. When a DLS file is being unloaded while another thread is concurrently attempting to use it for audio synthesis, it may read from a region of memory that has already been freed, potentially leading to erratic behaviors or crashes. This issue has been addressed in version 2.5.2, and users are advised to upgrade. The issue is avoided when a DLS file is unloaded explicitly prior to the destruction of the synthesizer, as long as no samples from that file are in use.

Affected Version(s)

fluidsynth >= 2.5.0, < 2.5.2

References

https://github.com/FluidSynth/fluidsynth/security/advisor...
x_refsource_CONFIRM
https://github.com/FluidSynth/fluidsynth/issues/1717
x_refsource_MISC
https://github.com/FluidSynth/fluidsynth/issues/1728
x_refsource_MISC

CVSS V3.1

Score:
7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-68617 : Race Condition Vulnerability in FluidSynth Software Synthesizer