Fluidsynth received 6 vulnerability reports within a week - thanks to all security researchers! Pls. note that Github is currently running behind issuing CVE IDs, see their blog post. We expect the missing CVE IDs to be issued within the upcoming week.
- Fix CVE-2026-58264 - a heap-based buffer overrun in command handler (GHSA-mqmq-w63q-cj94)
- Fix a heap-based buffer overflow in MIDI player (GHSA-976m-35rw-h3m6)
- Fix a heap-based buffer overrun for DLS samples (GHSA-59ph-rx8r-8p4j)
- Fix a DLS
ptblchunk integer overflow (GHSA-r4mc-v3p8-pv47) - Fix a DLS articulation chunk integer overflow (GHSA-hp72-35pr-6h6r)
- Fix a SF2 DMOD chunk integer underflow (GHSA-rmc4-c8hw-455w)