Skip to main content

GNOME localsearch CVE-2026-1766

| EUVDEUVD-2026-37027 MEDIUM
Buffer Access with Incorrect Length Value (CWE-805)
2026-06-16 fedora GHSA-4x89-cjcj-2f3m
6.1
CVSS 3.1 · NVD
Share

Severity by source

Vendor (fedora) PRIMARY
MEDIUM
qualitative
NVD
6.1 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
vuln.today AI
5.6 MEDIUM

Local file-based trigger requires low-privilege local account and indexer processing (UI:R); crash causes high availability loss with incidental heap read (C:L) and no write primitive.

3.1 AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
Ubuntu
MEDIUM
qualitative
SUSE
5.6 MEDIUM
AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:H
Red Hat
5.6 MEDIUM
qualitative

Primary rating from Vendor (fedora).

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
High

Lifecycle Timeline

2
CVSS changed
Jun 16, 2026 - 20:37 NVD
5.6 (MEDIUM) 6.1 (MEDIUM)
Analysis Generated
Jun 16, 2026 - 02:17 vuln.today

DescriptionNVD

A flaw was found in GNOME localsearch (previously known as tracker-miners) MP3 Extractor, specifically within the tracker-extract-mp3 component. This heap buffer overflow vulnerability occurs when processing specially crafted MP3 files containing malformed ID3v2.3 COMM (Comment) tags. An attacker could exploit this by providing a malicious MP3 file, leading to a denial of service (DoS), which causes an application crash, and potentially disclosing sensitive information from the heap memory.

AnalysisAI

Heap buffer overflow in GNOME localsearch's tracker-extract-mp3 component enables a local attacker to crash the metadata extraction daemon and potentially disclose heap memory contents by supplying a specially crafted MP3 file with malformed ID3v2.3 COMM tags. Affected platforms confirmed by Red Hat include RHEL 8, 9, and 10, where GNOME localsearch (formerly tracker-miners) runs as a background desktop search indexing service. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local user account on RHEL GNOME system
Delivery
Craft MP3 with malformed ID3v2.3 COMM tag length
Exploit
Write file to GNOME localsearch monitored directory
Execution
tracker-extract-mp3 auto-processes file during indexing
Persist
Heap buffer overflow triggers crash (DoS)
Impact
Heap memory contents potentially disclosed via crash output

Vulnerability AssessmentAI

Exploitation Exploitation requires a local account on the affected system with at least low privilege (PR:L per CVSS). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 base score of 5.6 (Medium) reflects the combined constraints of a local attack vector (AV:L), low privilege requirement (PR:L), and mandatory user interaction (UI:R), all of which substantially limit opportunistic exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a local user account on an affected RHEL system places a specially crafted MP3 file containing a malformed ID3v2.3 COMM tag into a directory monitored by the GNOME localsearch indexer, such as the user's home or music directory. The tracker-extract-mp3 daemon automatically processes the file during background indexing, triggering the heap buffer overflow, which crashes the process and may expose heap memory contents to the attacker through crash artifacts or error output. …
Remediation Patch availability is confirmed per vendor advisory at https://access.redhat.com/security/cve/CVE-2026-1766 and the associated Bugzilla tracking entry at https://bugzilla.redhat.com/show_bug.cgi?id=2435982; however, the exact fixed package version is not specified in the available data and should be obtained from Red Hat directly before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-4631 CRITICAL POC
9.8 Apr 07

Remote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h

CVE-2026-4480 CRITICAL POC
9.0 May 26

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft

CVE-2026-14544 CRITICAL
9.8 Jul 03

Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter

CVE-2026-28369 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel

CVE-2026-28368 CRITICAL
9.1 Mar 27

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-28367 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator

CVE-2026-52720 HIGH
8.8 Jun 15

Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co

CVE-2026-5260 HIGH
8.2 May 26

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap

CVE-2026-0966 HIGH
8.2 Mar 26

Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon proces

CVE-2026-35091 HIGH
8.2 Apr 01

Out-of-bounds read in Corosync allows unauthenticated remote attackers to crash cluster nodes and potentially leak memor

CVE-2026-42013 HIGH
8.2 May 26

Here is the multi-source synthesis as a single JSON object: ```json { "product_name": "GnuTLS", "summary": "Certifi

Vendor StatusVendor

Ubuntu

Priority: Medium
localsearch
Release Status Version
resolute not-affected 3.8.2-12
jammy DNE -
noble DNE -
questing DNE -
upstream released 3.11
tracker-miners
Release Status Version
resolute DNE -
jammy released 3.3.3-0ubuntu0.20.04.4
noble released 3.7.1-1ubuntu0.1
bionic needed -
focal needed -
upstream released 3.11
questing released 3.8.2-4ubuntu2.1

Debian

Bug #1126910
localsearch
Release Status Fixed Version Urgency
forky, sid fixed 3.11.1-3 -
(unstable) fixed 3.8.2-12 -
tracker-miners
Release Status Fixed Version Urgency
bullseye vulnerable 2.3.5-2.1 -
bookworm vulnerable 3.4.3-1 -
trixie vulnerable 3.8.2-4 -
(unstable) fixed (unfixed) -

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 16.0 SUSE Linux Enterprise Server for SAP applications 16.0 Fixed
SUSE Linux Enterprise Workstation Extension 15 SP7 Fixed
openSUSE Leap 15.6 Fixed

Share

CVE-2026-1766 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy