CISA alerts on dr_flac integer overflow in dr_libs

Disaster Recovery (DR)_flac, the FLAC decoder component of the open-source DR_libs toolkit, contains an integer overflow vulnerability that can lead to Denial of Service (DoS) when the component processes a specially crafted FLAC file.

The flaw is tracked as CVE-2025-14369 and involves the DR_flac component within DR_libs, which also comprises DR_mp3 and DR_wav. An attacker-supplied, specially crafted FLAC file may trigger allocation of a large amount of memory. During processing, a single block of memory could be allocated to totalPCMFrameCount from the FLAC metadata without validation before the calculation of the bugger size. The issue was corrected in commit b2197b2.

If an attacker can provide FLAC input to a tool or other input stream that uses DR_flac, the tool could crash or experience a DoS condition.

The fix is included in commit b2197b2, which was released on GitHub. All versions prior to commit b2197b2 are affected.

Users should update to the latest version ASAP, per the advisory guidance.