VU#924114: dr_flac contains an integer overflow vulnerability that allows for DoS when provided a crafted file
dr_flac, an open-source FLAC decoder within the dr_libs audio toolset, suffers from an integer overflow vulnerability. This vulnerability, identified as CVE-2025-14369, can be exploited by crafting malicious FLAC files. Providing such a file to a tool utilizing dr_flac could trigger a denial-of-service condition, causing the tool to crash. The core issue lies in the lack of input validation when calculating memory allocation based on FLAC metadata. This allows for excessive memory allocation, leading to instability. An attacker can use this flaw to make the tool allocate vast amounts of memory. The issue impacts any system using an older version of dr_flac. The vulnerability was patched in commit b2197b2, which users should update to immediately. Updating dr_flac prevents exploitation of this security bug. The vulnerability could be triggered by any tool processing untrusted FLAC files. The reporter of this issue was Maor Caplan and the initial documentation was written by Christopher Cullen.