UBUNTU-CVE-2025-68617

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2025-68617

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-68617.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2025-68617

Upstream

CVE-2025-68617

Published

2025-12-23T23:15:00Z

Modified

2026-01-20T18:44:22.475827Z

Severity

7.0 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
7.0 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

FluidSynth is a software synthesizer based on the SoundFont 2 specifications. From versions 2.5.0 to before 2.5.2, a race condition during unloading of a DLS file can trigger a heap-based use-after-free. A concurrently running thread may be pending to unload a DLS file, leading to use of freed memory, if the synthesizer is being concurrently destroyed, or samples of the (unloaded) DLS file are concurrently used to synthesize audio. This issue has been patched in version 2.5.2. The problem will not occur, when explicitly unloading a DLS file (before synth destruction), provided that at the time of unloading, no samples of the respective file are used by active voices. The problem will not occur in versions of FluidSynth that have been compiled without native DLS support.

References

Affected packages

Ubuntu:14.04:LTS

fluidsynth

Package

Name: fluidsynth
Purl: pkg:deb/ubuntu/fluidsynth@1.1.6-2?arch=source&distro=trusty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.1.6-2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "fluidsynth",
            "binary_version": "1.1.6-2"
        },
        {
            "binary_name": "libfluidsynth-dev",
            "binary_version": "1.1.6-2"
        },
        {
            "binary_name": "libfluidsynth1",
            "binary_version": "1.1.6-2"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-68617.json"

Ubuntu:16.04:LTS

fluidsynth

Package

Name: fluidsynth
Purl: pkg:deb/ubuntu/fluidsynth@1.1.6-3?arch=source&distro=xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.1.6-2build1

1.1.6-3

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "fluidsynth",
            "binary_version": "1.1.6-3"
        },
        {
            "binary_name": "libfluidsynth-dev",
            "binary_version": "1.1.6-3"
        },
        {
            "binary_name": "libfluidsynth1",
            "binary_version": "1.1.6-3"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-68617.json"

Ubuntu:18.04:LTS

fluidsynth

Package

Name: fluidsynth
Purl: pkg:deb/ubuntu/fluidsynth@1.1.9-1?arch=source&distro=bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.1.6-4

1.1.8-1

1.1.8-2

1.1.8-3

1.1.9-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "fluidsynth",
            "binary_version": "1.1.9-1"
        },
        {
            "binary_name": "libfluidsynth-dev",
            "binary_version": "1.1.9-1"
        },
        {
            "binary_name": "libfluidsynth1",
            "binary_version": "1.1.9-1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-68617.json"

Ubuntu:20.04:LTS

fluidsynth

Package

Name: fluidsynth
Purl: pkg:deb/ubuntu/fluidsynth@2.1.1-2?arch=source&distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.1.11-4

1.1.11-4ubuntu1

2.*

2.1.0-1

2.1.1-2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "fluidsynth",
            "binary_version": "2.1.1-2"
        },
        {
            "binary_name": "libfluidsynth-dev",
            "binary_version": "2.1.1-2"
        },
        {
            "binary_name": "libfluidsynth2",
            "binary_version": "2.1.1-2"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-68617.json"

Ubuntu:22.04:LTS

fluidsynth

Package

Name: fluidsynth
Purl: pkg:deb/ubuntu/fluidsynth@2.2.5-1?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.1.7-1.1

2.2.4-2

2.2.5-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "fluidsynth",
            "binary_version": "2.2.5-1"
        },
        {
            "binary_name": "libfluidsynth-dev",
            "binary_version": "2.2.5-1"
        },
        {
            "binary_name": "libfluidsynth3",
            "binary_version": "2.2.5-1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-68617.json"

Ubuntu:24.04:LTS

fluidsynth

Package

Name: fluidsynth
Purl: pkg:deb/ubuntu/fluidsynth@2.3.4-1build3?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.3.3-2.1

2.3.4-1

2.3.4-1build1

2.3.4-1build2

2.3.4-1build3

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "fluidsynth",
            "binary_version": "2.3.4-1build3"
        },
        {
            "binary_name": "libfluidsynth-dev",
            "binary_version": "2.3.4-1build3"
        },
        {
            "binary_name": "libfluidsynth3",
            "binary_version": "2.3.4-1build3"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-68617.json"

Ubuntu:25.10

fluidsynth

Package

Name: fluidsynth
Purl: pkg:deb/ubuntu/fluidsynth@2.4.7+dfsg-2?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.4.4+dfsg-1

2.4.7+dfsg-1

2.4.7+dfsg-2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "fluidsynth",
            "binary_version": "2.4.7+dfsg-2"
        },
        {
            "binary_name": "libfluidsynth-dev",
            "binary_version": "2.4.7+dfsg-2"
        },
        {
            "binary_name": "libfluidsynth3",
            "binary_version": "2.4.7+dfsg-2"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-68617.json"