CVE-2026-1764

EUVD-2026-37025
A flaw was found in GNOME localsearch (previously known as tracker-miners) MP3 Extractor. When processing specially crafted MP3 files containing ID3v2.4 tags, a missing bounds check in the `extract_performers_tags` function can lead to a heap buffer overflow. This vulnerability allows a remote attacker to cause a Denial of Service (DoS) by triggering a read of unmapped memory. In some cases, it could also lead to information disclosure by reading visible heap data.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.6 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:H
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 9%
Debian logo
Debian Releases
Debian Product
Codename
localsearch
forky
3.11.1-3
fixed
sid
3.11.1-3
fixed
tracker-miners
bookworm
no-dsa
bullseye
2.3.5-2.1
fixed
trixie
no-dsa
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
tracker-miner-files
suse enterprise desktop 15 SP7
3.6.2-150600.4.6.1
fixed
suse enterprise sap 15 SP7
3.6.2-150600.4.6.1
fixed
suse enterprise server 15 SP7
3.6.2-150600.4.6.1
fixed
tracker-miners
suse enterprise desktop 15 SP7
3.6.2-150600.4.6.1
fixed
suse enterprise sap 15 SP7
3.6.2-150600.4.6.1
fixed
suse enterprise server 15 SP7
3.6.2-150600.4.6.1
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
tracker-miners
Amazon Linux 2023
0:3.7.4-2.amzn2023.0.2
fixed
tracker-miners-debuginfo
Amazon Linux 2023
0:3.7.4-2.amzn2023.0.2
fixed
tracker-miners-debugsource
Amazon Linux 2023
0:3.7.4-2.amzn2023.0.2
fixed
Common Weakness Enumeration
References
https://access.redhat.com/security/cve/CVE-2026-1764
https://bugzilla.redhat.com/show_bug.cgi?id=2435980