PatchSiren cyber security CVE debrief
CVE-2026-1764 Red Hat CVE debrief
A flaw was found in GNOME localsearch (previously known as tracker-miners) MP3 Extractor. When processing specially crafted MP3 files containing ID3v2.4 tags, a missing bounds check in the `extract_performers_tags` function can lead to a heap buffer overflow. This vulnerability allows a remote attacker to cause a Denial of Service (DoS) by triggering a read of unmapped memory. In some cases, it could also lead to information disclosure by reading visible heap data.
- Vendor
- Red Hat
- Product
- Red Hat Enterprise Linux 10
- CVSS
- MEDIUM 5.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-16
- Original CVE updated
- 2026-06-16
- Advisory published
- 2026-06-16
- Advisory updated
- 2026-06-16
Who should care
Users of GNOME localsearch (previously known as tracker-miners) MP3 Extractor, particularly those processing MP3 files from untrusted sources.
Technical summary
The vulnerability is caused by a missing bounds check in the `extract_performers_tags` function when processing specially crafted MP3 files containing ID3v2.4 tags. This can lead to a heap buffer overflow, allowing a remote attacker to cause a Denial of Service (DoS) or potentially disclose information by reading visible heap data.
Defensive priority
MEDIUM
Recommended defensive actions
- Update GNOME localsearch (previously known as tracker-miners) MP3 Extractor to the latest version.
- Be cautious when processing MP3 files from untrusted sources.
Evidence notes
The CVE-2026-1764 vulnerability has been documented in various sources, including the [NVD detail page](resourceLinkAnnotations.nvd).
Official resources
CVE-2026-1764 was published on 2026-06-16T02:16:17.103Z and has not been modified since then.