{"id":"CVE-2021-21417","details":"fluidsynth is a software synthesizer based on the SoundFont 2 specifications. A use after free violation was discovered in fluidsynth, that can be triggered when loading an invalid SoundFont file.","modified":"2026-04-16T04:36:49.319639520Z","published":"2021-04-29T17:15:09.023Z","related":["GHSA-6fcq-pxhc-jxc9"],"references":[{"type":"ADVISORY","url":"https://github.com/FluidSynth/fluidsynth/security/advisories/GHSA-6fcq-pxhc-jxc9"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2021/06/msg00027.html"},{"type":"FIX","url":"https://github.com/FluidSynth/fluidsynth/pull/810"},{"type":"EVIDENCE","url":"https://github.com/FluidSynth/fluidsynth/issues/808"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/fluidsynth/fluidsynth","events":[{"introduced":"0"},{"fixed":"005719628aef0bd48dc7b2f860c7e4ca16b81044"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.1.8"}]}}],"versions":["v1.1.2","v1.1.3","v1.1.4","v1.1.5","v1.1.6","v2.0.0","v2.0.0.beta1","v2.0.0.beta2","v2.0.0.rc1","v2.0.1","v2.0.2","v2.1.0","v2.1.0.rc1","v2.1.1","v2.1.2","v2.1.3","v2.1.4","v2.1.5","v2.1.6","v2.1.7"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"9.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-21417.json","vanir_signatures_modified":"2026-04-11T23:34:00Z","vanir_signatures":[{"signature_version":"v1","source":"https://github.com/fluidsynth/fluidsynth/commit/005719628aef0bd48dc7b2f860c7e4ca16b81044","signature_type":"Line","id":"CVE-2021-21417-b2340688","deprecated":false,"digest":{"line_hashes":["48885938282331019127197626419836307014","110753109995881962928445110041674456256","121492536121844320821012634259806870192","244250008653137373573258873778707470889","110481844234258377108205728634290871755","106434345867872264672328437380783120138","75442270675680468273110843789053691131","95798495319292279337806353917834424064","333074141710635353878506192750459148821","47326553705705572167105152637548941869","16808106559652375976008750122874879042","172764031837794924691065524078847990979","220534147200632390022598891401921673442","13850095192963669915694205988520717420","236778933972772207078581007412662589462","318383126056721000529860358731732644709","85476600705861003317693399597125986122","288936857336585327545519535369585347744","121492536121844320821012634259806870192","244250008653137373573258873778707470889","336122938356400900669879383199080583791","322868890313760197567011974418590242518","42515258426239574087291571328387395543","329887052572185232004397664573681896528","333074141710635353878506192750459148821","160110383922649587958162413498630141605","285706012640618526127375349468795119952","275649253706964016154533079856786817649","101735777680155907571942409117773240958","11104868105589290390572019506936048960","236778933972772207078581007412662589462","318383126056721000529860358731732644709"],"threshold":0.9},"target":{"file":"src/sfloader/fluid_sffile.c"}},{"deprecated":false,"source":"https://github.com/fluidsynth/fluidsynth/commit/005719628aef0bd48dc7b2f860c7e4ca16b81044","target":{"file":"src/sfloader/fluid_sffile.c","function":"load_pgen"},"signature_type":"Function","id":"CVE-2021-21417-cfdb3ac4","digest":{"length":2846,"function_hash":"331369067606282572002129312609689129378"},"signature_version":"v1"},{"target":{"file":"src/sfloader/fluid_sffile.c","function":"load_igen"},"source":"https://github.com/fluidsynth/fluidsynth/commit/005719628aef0bd48dc7b2f860c7e4ca16b81044","signature_type":"Function","id":"CVE-2021-21417-e6733bbb","deprecated":false,"digest":{"length":2834,"function_hash":"95500749034621577397607449282478807781"},"signature_version":"v1"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}