CVE-2026-32256
Published: 18 March 2026
Summary
CVE-2026-32256 is a high-severity Infinite Loop (CWE-835) vulnerability in Borewit Music-Metadata. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the infinite loop flaw in the music-metadata ASF parser by requiring timely patching to version 11.12.3 or later.
Validates untrusted media files to reject malformed ASF Header Extension Objects with zero-sized sub-objects before parsing, preventing the infinite loop trigger.
Provides denial-of-service protections that limit the impact of CPU resource exhaustion from the infinite loop in vulnerable music-metadata versions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated DoS via crafted ASF file supplied to public-facing apps/services using the vulnerable parser directly enables T1190 (Exploit Public-Facing Application) and T1499.004 (Application or System Exploitation for availability impact).
NVD Description
music-metadata is a metadata parser for audio and video media files. Prior to version 11.12.3, music-metadata's ASF parser (`parseExtensionObject()` in `lib/asf/AsfParser.ts:112-158`) enters an infinite loop when a sub-object inside the ASF Header Extension Object has `objectSize = 0`. Version 11.12.3…
more
fixes the issue.
Deeper analysisAI
CVE-2026-32256 is a denial-of-service vulnerability in the music-metadata library, a Node.js parser for metadata in audio and video media files. The issue affects versions prior to 11.12.3 and resides in the ASF parser's `parseExtensionObject()` function (lib/asf/AsfParser.ts:112-158), where processing a sub-object inside the ASF Header Extension Object with `objectSize = 0` triggers an infinite loop. This flaw is classified under CWE-835 (Infinite Loop) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Attackers can exploit this vulnerability remotely without authentication or user interaction by supplying a specially crafted ASF file containing a malformed sub-object with zero size. Any application or service using the vulnerable music-metadata library to parse untrusted media files is at risk, leading to resource exhaustion via CPU-bound infinite looping, resulting in application crashes or hangs and high availability impact.
The music-metadata project released version 11.12.3 to address the issue, as detailed in the GitHub release notes (https://github.com/Borewit/music-metadata/releases/tag/v11.12.3) and security advisory GHSA-v6c2-xwv6-8xf7 (https://github.com/Borewit/music-metadata/security/advisories/GHSA-v6c2-xwv6-8xf7). Security practitioners should upgrade to 11.12.3 or later and validate inputs when parsing media metadata from untrusted sources.
Details
- CWE(s)