PatchSiren cyber security CVE debrief
CVE-2026-1767 Red Hat CVE debrief
A flaw was found in the GNOME localsearch (previously known as tracker-miners) MP3 Extractor `tracker-extract-mp3` component. A remote attacker could exploit this heap buffer overflow vulnerability by providing a specially crafted MP3 file containing malformed ID3 tags. This incorrect length calculation during the parsing of performer tags can lead to a read beyond the allocated buffer, potentially causing a Denial of Service (DoS) due to a crash or enabling information disclosure.
- Vendor
- Red Hat
- Product
- Red Hat Enterprise Linux 10
- CVSS
- MEDIUM 5.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-16
- Original CVE updated
- 2026-06-16
- Advisory published
- 2026-06-16
- Advisory updated
- 2026-06-16
Who should care
Users of GNOME localsearch (previously known as tracker-miners) MP3 Extractor `tracker-extract-mp3` component.
Technical summary
The vulnerability is caused by an incorrect length calculation during the parsing of performer tags in the MP3 Extractor `tracker-extract-mp3` component. This can lead to a read beyond the allocated buffer, potentially causing a Denial of Service (DoS) due to a crash or enabling information disclosure.
Defensive priority
MEDIUM
Recommended defensive actions
- Apply patches or updates provided by the vendor to fix the vulnerability.
- Use secure protocols for transferring MP3 files.
- Validate and sanitize MP3 files before processing them.
Evidence notes
The vulnerability was found in the GNOME localsearch (previously known as tracker-miners) MP3 Extractor `tracker-extract-mp3` component.
Official resources
CVE-2026-1767 was published on 2026-06-16T02:16:18.447Z.