An integer overflow vulnerability exists in dr_flac, an open-source FLAC audio decoder, which can lead to a denial-of-service condition. A specially crafted FLAC file can trigger the vulnerability, causing the tool using dr_flac to crash. The vulnerability is tracked as CVE-2025-14369 and has been patched.
Overview dr_flac , an open-source FLAC audio decoder, part of the dr_libs audio decoder toolset, contains an integer overflow vulnerability allowing for denial of service (DoS) when provided a specific crafted file. An attacker can exploit this vulnerability through providing a tool that uses dr_flac a specially crafted file, and can cause the tool to crash. The vulnerability, tracked as CVE-2025-14369, has been patched in commit b2197b2 of dr_flac. In an enterprise situation, audio tools that use dr_flac may be susceptible to crashes or other abnormal behavior if they process attacker-controlled files. Description dr_libs is an open-source audio decoding tool. It is made of three separate tools, dr_flac, dr_mp3, and dr_wav, which can decode FLAC, MP3, and WAV files respectively. An integer overflow vulnerability has been discovered, tracked as CVE-2025-14369 within dr_libs. An attacker who can supply crafted input FLAC files to the tool may trigger allocation of a large amount of memory, leading to a crash or unintended function of the tool. During function, a single block of memory could be allocated to totalPCMFrameCount from the FLAC metadata without validation before the calculation of the bugger size. This could result in a specifically crafted file being allocated an arbitrary amount of memory space. Impact An attacker able to send input data in the form of FLAC files to the tool or other input stream that uses dr_flac could cause a crash or DoS attack. Solution Commit b2197b2, released on GitHub, fixes the issue. Users should update to the latest version ASAP. All versions prior to commit b2197b2 are affected. Acknowledgements Thanks to the reporter who wishes to remain Maor Caplan.This document was written by Christopher Cullen. Vendor Information One or more vendors are listed for this advisory. Please reference the full report for more information. References https://github.com/mackron/dr_libs/commit/b2197b2eb7bb609df76315bebf44db4ec2a1aed0 Other Information CVE IDs: CVE-2025-14369 Date Public: 2026-01-20 Date First Published: 2026-01-20 Date Last Updated: 2026-01-20 11:49 UTC Document Revision: 1 About vulnerability notes Contact us about this vulnerability Provide a vendor statement