Skip to main content

Furnace CVE-2026-4732

| EUVDEUVD-2026-14710 HIGH
Out-of-bounds Read (CWE-125)
2026-03-24 GovTech CSG GHSA-7wq4-v54m-6v3f
8.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.4 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:D/RE:L/U:Amber

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:D/RE:L/U:Amber
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
N

Lifecycle Timeline

4
EUVD ID Assigned
Mar 24, 2026 - 03:30 euvd
EUVD-2026-14710
Analysis Generated
Mar 24, 2026 - 03:30 vuln.today
Patch released
Mar 24, 2026 - 03:30 nvd
Patch available
CVE Published
Mar 24, 2026 - 02:50 nvd
HIGH 8.4

DescriptionCVE.org

Out-of-bounds Read vulnerability in tildearrow furnace (‎extern/libsndfile-modified/src modules). This vulnerability is associated with program files flac.C‎.

This issue affects furnace: before 0.7.

AnalysisAI

Out-of-bounds read in Furnace before version 0.7 allows local attackers to read sensitive memory contents through a crafted FLAC file processed by the modified libsndfile module. This vulnerability could enable information disclosure or potentially facilitate further exploitation of the audio processing application.

Technical ContextAI

The vulnerability resides in the extern/libsndfile-modified/src module of furnace, specifically in the FLAC audio codec handling routines (flac.C). Furnace is a digital audio workstation and chiptune tracker that uses a modified version of libsndfile for audio file format support. The out-of-bounds read (CWE-125) occurs when the FLAC parser reads data from memory locations outside the bounds of an allocated buffer, likely triggered by malformed or specially crafted FLAC audio files. This class of vulnerability typically results from insufficient bounds checking during buffer operations, allowing attackers to read unintended memory regions. The affected product is identified via CPE cpe:2.3:a:tildearrow:furnace:*:*:*:*:*:*:*:* for versions prior to 0.7.

RemediationAI

Upgrade furnace to version 0.7 or later to obtain the patched version that remediates this out-of-bounds read vulnerability. The patch is available via the vendor's GitHub repository at https://github.com/tildearrow/furnace/pull/2812. Users unable to upgrade immediately should restrict furnace's input to trusted, validated FLAC audio files and avoid processing audio files from untrusted sources. Additionally, consider running furnace in a sandboxed or containerized environment to limit the impact of potential memory disclosure attacks. Monitor the official furnace repository and releases page for version 0.7 availability if not yet released.

Share

CVE-2026-4732 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy