{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32889", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-16T21:03:44.422Z", "datePublished": "2026-03-20T02:23:25.079Z", "dateUpdated": "2026-03-21T02:59:12.338Z"}, "containers": {"cna": {"title": "tinytag: Denial of Service via non-terminating SYLT frame parsing loop", "problemTypes": [{"descriptions": [{"cweId": "CWE-835", "lang": "en", "description": "CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/tinytag/tinytag/security/advisories/GHSA-f4rq-2259-hv29", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/tinytag/tinytag/security/advisories/GHSA-f4rq-2259-hv29"}, {"name": "https://github.com/tinytag/tinytag/commit/44e496310f7ced8077e9087e3774acbaa324b18a", "tags": ["x_refsource_MISC"], "url": "https://github.com/tinytag/tinytag/commit/44e496310f7ced8077e9087e3774acbaa324b18a"}, {"name": "https://github.com/tinytag/tinytag/commit/4d649b9c314ada8ff8a74e0469e9aadb3acb252a", "tags": ["x_refsource_MISC"], "url": "https://github.com/tinytag/tinytag/commit/4d649b9c314ada8ff8a74e0469e9aadb3acb252a"}, {"name": "https://github.com/tinytag/tinytag/commit/5cd321521ff097e41724b601d7e3d7adc7e53402", "tags": ["x_refsource_MISC"], "url": "https://github.com/tinytag/tinytag/commit/5cd321521ff097e41724b601d7e3d7adc7e53402"}], "affected": [{"vendor": "tinytag", "product": "tinytag", "versions": [{"version": ">= 2.2.0, < 2.2.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T02:23:25.079Z"}, "descriptions": [{"lang": "en", "value": "tinytag is a Python library for reading audio file metadata. Version 2.2.0 allows an attacker who can supply MP3 files for parsing to trigger a non-terminating loop while the library parses an ID3v2 SYLT (synchronized lyrics) frame. In server-side deployments that automatically parse attacker-supplied files, a single 498-byte MP3 can cause the parsing operation to stop making progress and remain busy until the worker or process is terminated. The root cause is that _parse_synced_lyrics assumes _find_string_end_pos always returns a position greater than the current offset. That assumption is false when no string terminator is present in the remaining frame content. This issue has been fixed in version 2.2.1."}], "source": {"advisory": "GHSA-f4rq-2259-hv29", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-21T02:58:19.146172Z", "id": "CVE-2026-32889", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-21T02:59:12.338Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32889", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-21T02:58:19.146172Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-21T02:59:07.925Z"}}], "cna": {"title": "tinytag: Denial of Service via non-terminating SYLT frame parsing loop", "source": {"advisory": "GHSA-f4rq-2259-hv29", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "tinytag", "product": "tinytag", "versions": [{"status": "affected", "version": ">= 2.2.0, < 2.2.1"}]}], "references": [{"url": "https://github.com/tinytag/tinytag/security/advisories/GHSA-f4rq-2259-hv29", "name": "https://github.com/tinytag/tinytag/security/advisories/GHSA-f4rq-2259-hv29", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/tinytag/tinytag/commit/44e496310f7ced8077e9087e3774acbaa324b18a", "name": "https://github.com/tinytag/tinytag/commit/44e496310f7ced8077e9087e3774acbaa324b18a", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/tinytag/tinytag/commit/4d649b9c314ada8ff8a74e0469e9aadb3acb252a", "name": "https://github.com/tinytag/tinytag/commit/4d649b9c314ada8ff8a74e0469e9aadb3acb252a", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/tinytag/tinytag/commit/5cd321521ff097e41724b601d7e3d7adc7e53402", "name": "https://github.com/tinytag/tinytag/commit/5cd321521ff097e41724b601d7e3d7adc7e53402", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "tinytag is a Python library for reading audio file metadata. Version 2.2.0 allows an attacker who can supply MP3 files for parsing to trigger a non-terminating loop while the library parses an ID3v2 SYLT (synchronized lyrics) frame. In server-side deployments that automatically parse attacker-supplied files, a single 498-byte MP3 can cause the parsing operation to stop making progress and remain busy until the worker or process is terminated. The root cause is that _parse_synced_lyrics assumes _find_string_end_pos always returns a position greater than the current offset. That assumption is false when no string terminator is present in the remaining frame content. This issue has been fixed in version 2.2.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-835", "description": "CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T02:23:25.079Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32889", "state": "PUBLISHED", "dateUpdated": "2026-03-21T02:59:12.338Z", "dateReserved": "2026-03-16T21:03:44.422Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T02:23:25.079Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "tinytag is a Python library for reading audio file metadata. Version 2.2.0 allows an attacker who can supply MP3 files for parsing to trigger a non-terminating loop while the library parses an ID3v2 SYLT (synchronized lyrics) frame. In server-side deployments that automatically parse attacker-supplied files, a single 498-byte MP3 can cause the parsing operation to stop making progress and remain busy until the worker or process is terminated. The root cause is that _parse_synced_lyrics assumes _find_string_end_pos always returns a position greater than the current offset. That assumption is false when no string terminator is present in the remaining frame content. This issue has been fixed in version 2.2.1."}], "id": "CVE-2026-32889", "lastModified": "2026-03-20T13:37:50.737", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T03:15:59.873", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/tinytag/tinytag/commit/44e496310f7ced8077e9087e3774acbaa324b18a"}, {"source": "security-advisories@github.com", "url": "https://github.com/tinytag/tinytag/commit/4d649b9c314ada8ff8a74e0469e9aadb3acb252a"}, {"source": "security-advisories@github.com", "url": "https://github.com/tinytag/tinytag/commit/5cd321521ff097e41724b601d7e3d7adc7e53402"}, {"source": "security-advisories@github.com", "url": "https://github.com/tinytag/tinytag/security/advisories/GHSA-f4rq-2259-hv29"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-835"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "tinytag: tinytag: Denial of Service via malicious MP3 file parsing", "id": "2449419", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449419"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-835", "details": ["A flaw was found in tinytag, a Python library for reading audio file metadata. An attacker who can supply specially crafted MP3 files for parsing can trigger a non-terminating loop within the library. This can cause the parsing operation to stop making progress, leading to a Denial of Service (DoS) where the affected process becomes unresponsive until terminated."], "name": "CVE-2026-32889", "package_state": [{"cpe": "cpe:/a:redhat:openshift_lightspeed", "fix_state": "Fix deferred", "package_name": "openshift-lightspeed/lightspeed-service-api-rhel9", "product_name": "OpenShift Lightspeed"}], "public_date": "2026-03-20T02:23:25Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-32889\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-32889\nhttps://github.com/tinytag/tinytag/commit/44e496310f7ced8077e9087e3774acbaa324b18a\nhttps://github.com/tinytag/tinytag/commit/4d649b9c314ada8ff8a74e0469e9aadb3acb252a\nhttps://github.com/tinytag/tinytag/commit/5cd321521ff097e41724b601d7e3d7adc7e53402\nhttps://github.com/tinytag/tinytag/security/advisories/GHSA-f4rq-2259-hv29"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.2.0,2.2.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "tinytag", "source": "cna", "vendor": "tinytag"}, "product": "tinytag", "vendor": "tinytag"}], "analysis": {"en": {"generated_at": "2026-03-20T04:24:00.345243+00:00", "value": {"mitigation_remediation": ["Upgrade tinytag to version 2.2.1 or later", "Restrict the processing of MP3 files to trusted sources or run the parser in an isolated environment", "Consider implementing input size limits to mitigate potential resource exhaustion"], "summary": {"action": "Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "All deployments that use tinytag 2.2.0 to parse MP3 files are affected. The issue was fixed in version 2.2.1; older releases remain vulnerable. No further environment constraints are specified beyond typical Python runtimes.", "description_and_impact": "tinytag is a Python library that reads audio file metadata. Version 2.2.0 contains a flaw where parsing an ID3v2 SYLT frame can enter a non\u2011terminating infinite loop when no string terminator is present, which is identified as CWE\u2011835. The resulting denial of service occurs because the parser remains busy until the worker or process is terminated, and a single 498\u2011byte MP3 file is sufficient to trigger the loop.", "risk_and_exploitability": "The CVSS score of 6.5 indicates moderate severity, and no EPSS data or KEV listing is available. The likely attack vector is an attacker providing a malicious MP3 file to a server that automatically parses media using tinytag, causing the parser to hang. The exploit path is straightforward and can lead to resource exhaustion or service outages, making the risk high for applications that process untrusted media."}}}}, "created": "2026-03-20T08:53:05.381956+00:00", "updated": "2026-03-20T10:37:49.506805+00:00", "vendors": ["tinytag", "tinytag$PRODUCT$tinytag"]}