#1124796 whisper.cpp: CVE-2025-14569

Package:
src:whisper.cpp
Source:
src:whisper.cpp
Submitter:
Salvatore Bonaccorso
Date:
2026-05-18 18:23:02 UTC
Severity:
normal
Tags:
#1124796#5
Date:
2026-01-06 21:26:53 UTC
From:
To:
Hi,

The following vulnerability was published for whisper.cpp.

CVE-2025-14569[0]:
| A vulnerability was detected in ggml-org whisper.cpp up to 1.8.2.
| Affected is the function read_audio_data of the file
| /whisper.cpp/examples/common-whisper.cpp. The manipulation results
| in use after free. The attack requires a local approach. The exploit
| is now public and may be used. The project was informed of the
| problem early through an issue report but has not responded yet.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-14569
https://www.cve.org/CVERecord?id=CVE-2025-14569
[1] https://github.com/ggml-org/whisper.cpp/issues/3501

Regards,
Salvatore

#1124796#10
Date:
2026-05-11 13:13:20 UTC
From:
To:
Hi,

Please find attached a patch that fixes CVE-2025-14569, a use-after-free
vulnerability in the read_audio_data() function in common-whisper.cpp.

The fix adds a decoder_initialized flag, verifies ma_decoder_init_file()
return value explicitly, only calls ma_decoder_uninit() when the decoder
was successfully initialized, and adds proper cleanup on error paths.

The upstream (ggml-org) was notified via GitHub issue #3501 in November
2025 but has not responded. This patch is ready for Debian packaging.

Best regards,
Claudio Ferreira

#1124796#15
Date:
2026-05-14 06:34:18 UTC
From:
To:
Thank you for the patch.  I have passed it upstream as
<URL: https://github.com/ggml-org/whisper.cpp/pull/3810 > to
allow them to review it before considering it for inclusion
in Debian.

#1124796#20
Date:
2026-05-15 08:48:30 UTC
From:
To:
[Claudio Ferreira]

Thank you.

When I passed the patch upstream, I was told that this issue has already
been fixed in commit
cec1dd9d1276a1df679858222f3b1dc0551c5220 from 2026-02-27 when the
miniaudio version was updated from 0.11.22 to 0.11.24 and the issue can
no longer be reproduced,   see
<URL: https://github.com/ggml-org/whisper.cpp/issues/3501 >.

This fix is included in version 1.8.4 already uploaded into Debian.

Do you agree with this finding?