Skip to main content

Symphonia CVE-2026-15276

| EUVDEUVD-2026-42732 LOW
Improper Resource Shutdown or Release (CWE-404)
2026-07-09 cna@vuldb.com GHSA-whwr-vg23-jrwg
1.9
CVSS 4.0 · Vendor: vuldb

Severity by source

Vendor (vuldb) PRIMARY
1.9 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.3 LOW

Local access with low privileges required to supply crafted audio input; only application availability is affected with no scope change, confidentiality, or integrity impact.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (vuldb).

CVSS VectorVendor: vuldb

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 09, 2026 - 22:39 vuln.today

DescriptionCVE.org

A flaw has been found in pdeljanov Symphonia up to 0.6.0. This vulnerability affects unknown code of the component Metadata Handler. This manipulation causes denial of service. The attack needs to be launched locally. The exploit has been published and may be used. The pull request to fix this issue awaits acceptance.

AnalysisAI

Denial of service in pdeljanov Symphonia up to version 0.6.0 can be triggered locally by a low-privileged attacker who supplies a crafted audio file to the Metadata Handler component, causing improper resource release and application unavailability. The root cause is CWE-404 (Improper Resource Shutdown or Release) within the metadata parsing subsystem, with no impact on confidentiality or data integrity. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local low-privilege access
Delivery
Craft malformed metadata audio file
Exploit
Supply file to Symphonia-based application
Execution
Trigger Metadata Handler resource leak
Impact
Application denial of service

Vulnerability AssessmentAI

Exploitation Local system access with at minimum low-privilege user rights is required - the attacker must be authenticated to the host or otherwise able to supply files to it. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is low. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged local user on a system running a Symphonia-based audio processing application - such as a media indexer or transcoding tool - crafts a malformed audio file with adversarially structured metadata and supplies it as input. The Metadata Handler processes the file and fails to properly release internal resources, causing the application process to exhaust available memory or file handles and crash or hang. …
Remediation No released patch is available as of the time of analysis; the upstream fix exists solely as unmerged pull request #514 at github.com/pdeljanov/Symphonia/pull/514. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-15276 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy