CVE-2026-1764

5.6 MEDIUM

A flaw was found in GNOME localsearch (previously known as tracker-miners) MP3 Extractor

Published: 2026-06-16 · Last updated: 2026-06-16

Severity and scoring

CVSS: 5.6 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:H
CWE: CWE-125

Description

A flaw was found in GNOME localsearch (previously known as tracker-miners) MP3 Extractor. When processing specially crafted MP3 files containing ID3v2.4 tags, a missing bounds check in the `extract_performers_tags` function can lead to a heap buffer overflow. This vulnerability allows a remote attacker to cause a Denial of Service (DoS) by triggering a read of unmapped memory. In some cases, it could also lead to information disclosure by reading visible heap data.

Source: NVD

References

Related CVEs

Same CWE

CVE-2026-1765 — A flaw was found in the `tracker-extract-mp3` component of GNOME localsearch (previously known as tracker-miners) (5.6 MEDIUM)
CVE-2026-12087 — Socket versions before 2.041 for Perl have an out-of-bounds heap read
CVE-2026-53704 — A flaw was found in GStreamer's RealMedia demuxer in the gst-plugins-ugly package (7.1 HIGH)
CVE-2026-53703 — A vulnerability was found in the GStreamer RealMedia demuxer (gst-plugins-ugly) (7.1 HIGH)
CVE-2026-52721 — Multiple out-of-bounds read vulnerabilities were found in GStreamer's pcapparse element (5.3 MEDIUM)