Severity by source
AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:H
Local vector and UI:R because exploitation requires delivering a file and triggering local indexing; PR:L for standard user account; C:L for bounded heap leakage; I:N as no write primitive exists.
Primary rating from Vendor (fedora).
CVSS VectorVendor: fedora
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
A flaw was found in GNOME localsearch (previously known as tracker-miners) MP3 Extractor. When processing specially crafted MP3 files containing ID3v2.4 tags, a missing bounds check in the extract_performers_tags function can lead to a heap buffer overflow. This vulnerability allows a remote attacker to cause a Denial of Service (DoS) by triggering a read of unmapped memory. In some cases, it could also lead to information disclosure by reading visible heap data.
AnalysisAI
Heap out-of-bounds read in GNOME localsearch (formerly tracker-miners) MP3 Extractor affects Red Hat Enterprise Linux 8, 9, and 10, exploitable when a local user triggers indexing of a specially crafted MP3 file containing malformed ID3v2.4 tags. The missing bounds check in the extract_performers_tags function can cause a Denial of Service via an unmapped memory read, and in certain heap layout scenarios may also leak fragments of heap memory, resulting in limited information disclosure. No public exploit code has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog.
Technical ContextAI
GNOME localsearch (CPE: cpe:2.3:a:red_hat:red_hat_enterprise_linux_8/9/10) is a metadata extraction daemon integrated into the GNOME desktop that automatically indexes files - including audio files - to support desktop search. The affected component is the MP3 Extractor module, which parses ID3v2.4 tag structures to retrieve performer metadata. CWE-125 (Out-of-bounds Read) is the root cause: the extract_performers_tags function does not validate that the tag data length stays within the bounds of the allocated heap buffer before reading performer string fields. ID3v2.4 supports variable-length frames, and a crafted frame with an inflated length value can cause the reader to advance beyond the buffer boundary, touching unmapped memory pages and triggering a crash, or reading adjacent heap allocations and exposing their contents.
RemediationAI
Apply the vendor-supplied update for the gnome-localsearch (tracker-miners) package on affected RHEL 8, 9, and 10 systems via standard package management (dnf update tracker-miners or gnome-localsearch). An exact fixed package version is not independently confirmed from the available data - consult the Red Hat security advisory at https://access.redhat.com/security/cve/CVE-2026-1764 for the precise patched RPM build. As a compensating control where patching is not immediately possible, administrators can disable automatic file indexing by running 'gsettings set org.freedesktop.Tracker3.Miner.Files enable-monitors false' or removing tracker-miners from system startup; note this will degrade desktop search functionality. Additionally, enforcing SELinux in enforcing mode (default on RHEL) limits the blast radius of any crash or heap read by confining the tracker-extract process. Do not open untrusted MP3 files on systems where patching is delayed.
More in Red Hat Enterprise Linux 10
View allRemote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h
Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft
Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter
HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel
HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls
Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege
HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator
Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD
Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user
Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co
Sandbox escape in PipeWire's PulseAudio compatibility layer lets a low-privileged process inside a confined environment
Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Denial Of Service
View allVendor StatusVendor
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| resolute | not-affected | 3.8.2-12 |
| jammy | DNE | - |
| noble | DNE | - |
| questing | DNE | - |
| upstream | released | 3.11 |
| Release | Status | Version |
|---|---|---|
| resolute | DNE | - |
| bionic | needed | - |
| focal | needed | - |
| upstream | released | 3.11 |
| jammy | released | 3.3.3-0ubuntu0.20.04.4 |
| noble | released | 3.7.1-1ubuntu0.1 |
| questing | released | 3.8.2-4ubuntu2.1 |
Debian
Bug #1126910| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| forky, sid | fixed | 3.11.1-3 | - |
| (unstable) | fixed | 3.8.2-12 | - |
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | not-affected | - | - |
| bookworm | vulnerable | 3.4.3-1 | - |
| trixie | vulnerable | 3.8.2-4 | - |
| (unstable) | fixed | (unfixed) | - |
SUSE
Severity: Moderate| Product | Status |
|---|---|
| SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Module for Desktop Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 16.0 SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Workstation Extension 15 SP7 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| openSUSE Leap 16.0 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SUSE Linux Enterprise Server 16.0 | Affected |
| SUSE Linux Enterprise Desktop 15 SP7 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Affected |
| SUSE Linux Enterprise Module for Desktop Applications 15 SP7 | Affected |
| SUSE Linux Enterprise Server 15 SP7 | Affected |
| SUSE Linux Enterprise Server 16.0 | Affected |
| SUSE Linux Enterprise Server 16.1 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Affected |
| SUSE Linux Enterprise Workstation Extension 15 SP7 | Affected |
| openSUSE Leap 16.0 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS | Affected |
| SUSE Linux Enterprise Module for Desktop Applications 15 SP4 | Affected |
| SUSE Linux Enterprise Module for Desktop Applications 15 SP5 | Affected |
| SUSE Linux Enterprise Module for Desktop Applications 15 SP6 | Affected |
| SUSE Linux Enterprise Server 15 SP4 | Affected |
| SUSE Linux Enterprise Server 15 SP4-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP5 | Affected |
| SUSE Linux Enterprise Server 15 SP5-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP6 | Affected |
| SUSE Linux Enterprise Server 15 SP6-LTSS | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Affected |
| SUSE Manager Proxy 4.3 | Affected |
| SUSE Manager Retail Branch Server 4.3 | Affected |
| SUSE Manager Server 4.3 | Affected |
| SUSE Enterprise Storage 7 | Not-Affected |
| SUSE Enterprise Storage 7.1 | Not-Affected |
| SUSE Linux Enterprise Desktop 15 SP2 | Not-Affected |
| SUSE Linux Enterprise Desktop 15 SP3 | Not-Affected |
| SUSE Linux Enterprise Desktop 15 SP4 | Affected |
| SUSE Linux Enterprise Desktop 15 SP5 | Affected |
| SUSE Linux Enterprise Desktop 15 SP6 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP2 | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP2-ESPOS | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP3 | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP6 | Affected |
| SUSE Linux Enterprise Module for Desktop Applications 15 SP2 | Not-Affected |
| SUSE Linux Enterprise Module for Desktop Applications 15 SP3 | Not-Affected |
| SUSE Linux Enterprise Real Time 15 SP2 | Not-Affected |
| SUSE Linux Enterprise Real Time 15 SP3 | Not-Affected |
| SUSE Linux Enterprise Real Time 15 SP4 | Affected |
| SUSE Linux Enterprise Server 15 SP2 | Not-Affected |
| SUSE Linux Enterprise Server 15 SP2-BCL | Not-Affected |
| SUSE Linux Enterprise Server 15 SP2-LTSS | Not-Affected |
| SUSE Linux Enterprise Server 15 SP3 | Not-Affected |
| SUSE Linux Enterprise Server 15 SP3-BCL | Not-Affected |
| SUSE Linux Enterprise Server 15 SP3-LTSS | Not-Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP2 | Not-Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP3 | Not-Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Affected |
| SUSE Linux Enterprise Workstation Extension 15 SP2 | Not-Affected |
| SUSE Linux Enterprise Workstation Extension 15 SP3 | Not-Affected |
| SUSE Linux Enterprise Workstation Extension 15 SP4 | Affected |
| SUSE Linux Enterprise Workstation Extension 15 SP5 | Affected |
| SUSE Linux Enterprise Workstation Extension 15 SP6 | Affected |
| SUSE Manager Proxy 4.1 | Not-Affected |
| SUSE Manager Proxy 4.2 | Not-Affected |
| SUSE Manager Retail Branch Server 4.1 | Not-Affected |
| SUSE Manager Retail Branch Server 4.2 | Not-Affected |
| SUSE Manager Server 4.1 | Not-Affected |
| SUSE Manager Server 4.2 | Not-Affected |
| openSUSE Leap 15.3 | Not-Affected |
| openSUSE Leap 15.4 | Affected |
| openSUSE Leap 15.5 | Affected |
| openSUSE Leap 15.6 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37025
GHSA-f6x5-hp9j-j5wv