Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:D/RE:L/U:Amber
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:D/RE:L/U:Amber
Lifecycle Timeline
4DescriptionCVE.org
Out-of-bounds Read vulnerability in tildearrow furnace (extern/libsndfile-modified/src modules). This vulnerability is associated with program files flac.C.
This issue affects furnace: before 0.7.
AnalysisAI
Out-of-bounds read in Furnace before version 0.7 allows local attackers to read sensitive memory contents through a crafted FLAC file processed by the modified libsndfile module. This vulnerability could enable information disclosure or potentially facilitate further exploitation of the audio processing application.
Technical ContextAI
The vulnerability resides in the extern/libsndfile-modified/src module of furnace, specifically in the FLAC audio codec handling routines (flac.C). Furnace is a digital audio workstation and chiptune tracker that uses a modified version of libsndfile for audio file format support. The out-of-bounds read (CWE-125) occurs when the FLAC parser reads data from memory locations outside the bounds of an allocated buffer, likely triggered by malformed or specially crafted FLAC audio files. This class of vulnerability typically results from insufficient bounds checking during buffer operations, allowing attackers to read unintended memory regions. The affected product is identified via CPE cpe:2.3:a:tildearrow:furnace:*:*:*:*:*:*:*:* for versions prior to 0.7.
RemediationAI
Upgrade furnace to version 0.7 or later to obtain the patched version that remediates this out-of-bounds read vulnerability. The patch is available via the vendor's GitHub repository at https://github.com/tildearrow/furnace/pull/2812. Users unable to upgrade immediately should restrict furnace's input to trusted, validated FLAC audio files and avoid processing audio files from untrusted sources. Additionally, consider running furnace in a sandboxed or containerized environment to limit the impact of potential memory disclosure attacks. Monitor the official furnace repository and releases page for version 0.7 availability if not yet released.
A denial of service vulnerability was found in tildearrow Furnace. Rated medium severity (CVSS 6.5), this vulnerability
A vulnerability classified as critical has been found in tildearrow Furnace dev73. Rated medium severity (CVSS 6.5), thi
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14710
GHSA-7wq4-v54m-6v3f