The vulnerability is an integer overflow in the calculation of the allocation size for the FFT buffer in the kiss_fftndr_alloc() function. By providing crafted dimension values, the multiplication dimOther*(dimReal+2)*sizeof(kiss_fft_scalar) exceeds the maximum value for a signed 32‑bit integer, causing malloc() to allocate a buffer that is too small. During subsequent processing of the FFT data, writes beyond the end of this underestimated buffer can corrupt memory and lead to arbitrary code execution. This flaw is a classic instance of a heap‑based buffer overflow (CWE‑122) triggered by an unchecked integer overflow (CWE‑190).

Any installation of the KissFFT library that predates commit 8a8e66e33d692bad1376fe7904d87d767730537f is affected. The vulnerability exists in the core library regardless of distribution channel, so all users and applications that link against an unpatched version of KissFFT, including those embedded in larger multimedia or signal‑processing software, must be evaluated for exposure.

The CVSS base score of 8.7 indicates a high severity risk. Although the EPSS score is not available, the lack of a KEV listing does not diminish the potential for exploitation. Attackers who can influence the input dimensions to kiss_fftndr_alloc()—for example, via a network‑exposed API or malformed file—can trigger the overflow. The exploitation path requires that the application uses the unpatched library during runtime, making local or remote attacks possible depending on the deployment context. Consequently, the vulnerability poses a significant threat that warrants immediate remediation.