{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-56226", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-01-14T14:57:00.271Z", "dateReserved": "2025-08-16T00:00:00.000Z", "datePublished": "2026-01-14T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-01-14T14:36:34.513Z"}, "descriptions": [{"lang": "en", "value": "Libsndfile <=1.2.2 contains a memory leak vulnerability in the mpeg_l3_encoder_init() function within the mpeg_l3_encode.c file."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/libsndfile/libsndfile/issues/1089"}, {"url": "https://gist.github.com/Sisyphus-wang/f9e6e017b7d478bebee6e8187672abc8"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-401", "lang": "en", "description": "CWE-401 Missing Release of Memory after Effective Lifetime"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-01-14T14:55:28.399920Z", "id": "CVE-2025-56226", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-14T14:57:00.271Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-56226", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-14T14:55:28.399920Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-401", "description": "CWE-401 Missing Release of Memory after Effective Lifetime"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-14T14:56:29.178Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/libsndfile/libsndfile/issues/1089"}, {"url": "https://gist.github.com/Sisyphus-wang/f9e6e017b7d478bebee6e8187672abc8"}], "descriptions": [{"lang": "en", "value": "Libsndfile <=1.2.2 contains a memory leak vulnerability in the mpeg_l3_encoder_init() function within the mpeg_l3_encode.c file."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-01-14T14:36:34.513Z"}}}, "cveMetadata": {"cveId": "CVE-2025-56226", "state": "PUBLISHED", "dateUpdated": "2026-01-14T14:57:00.271Z", "dateReserved": "2025-08-16T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-01-14T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:libsndfile_project:libsndfile:*:*:*:*:*:*:*:*", "matchCriteriaId": "E2BEB4E1-9E0E-4FF3-B7C3-2ED9CDAACA87", "versionEndIncluding": "1.2.2", "versionStartIncluding": "1.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Libsndfile <=1.2.2 contains a memory leak vulnerability in the mpeg_l3_encoder_init() function within the mpeg_l3_encode.c file."}], "id": "CVE-2025-56226", "lastModified": "2026-01-21T21:21:07.933", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-14T15:15:56.873", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://gist.github.com/Sisyphus-wang/f9e6e017b7d478bebee6e8187672abc8"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/libsndfile/libsndfile/issues/1089"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "libsndfile: memory leak when encoding MP3 files due to an incomplete initialization", "id": "2429564", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2429564"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-401", "details": ["Libsndfile <=1.2.2 contains a memory leak vulnerability in the mpeg_l3_encoder_init() function within the mpeg_l3_encode.c file.", "A flaw was found in the libsndfile library. This issue occurs when encoding MP3 files. During initialization, when an unsupported sample rate is detected, encoding resources are not released within the error-handling path due to an incomplete initialization, impacting system performance and resulting in a denial of service."], "mitigation": {"lang": "en:us", "value": "Do not process untrusted MP3 files with the libsndfile library."}, "name": "CVE-2025-56226", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "libsndfile", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "libsndfile", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "libsndfile", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "libsndfile", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "libsndfile", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-01-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-56226\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-56226\nhttps://gist.github.com/Sisyphus-wang/f9e6e017b7d478bebee6e8187672abc8\nhttps://github.com/libsndfile/libsndfile/issues/1089"], "statement": "To exploit this flaw, an attacker needs to be able to process a malicious MP3 file with an application linked to the libsndfile library. Also, the only security impact of this issue is a high consumption of system memory that eventually can cause an application crash and result in a denial of service, there is no memory corruption or arbitrary code execution. Due to these reasons, this vulnerability has been rated with a moderate severity.", "threat_severity": "Moderate"}

{"created": "2026-01-15T08:03:46.267409+00:00", "updated": "2026-01-15T08:03:46.267436+00:00", "vendors": ["libsndfile_project", "libsndfile_project$PRODUCT$libsndfile"]}