CVE-2026-32889 in tinytag
Summary
by MITRE • 03/20/2026
tinytag is a Python library for reading audio file metadata. Version 2.2.0 allows an attacker who can supply MP3 files for parsing to trigger a non-terminating loop while the library parses an ID3v2 SYLT (synchronized lyrics) frame. In server-side deployments that automatically parse attacker-supplied files, a single 498-byte MP3 can cause the parsing operation to stop making progress and remain busy until the worker or process is terminated. The root cause is that _parse_synced_lyrics assumes _find_string_end_pos always returns a position greater than the current offset. That assumption is false when no string terminator is present in the remaining frame content. This issue has been fixed in version 2.2.1.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/25/2026
The vulnerability identified as CVE-2026-32889 affects the tinytag Python library version 2.2.0, which is widely used for reading audio file metadata. This library serves as a critical component in applications that process audio files, particularly in server-side environments where automatic parsing of user-supplied content is common. The flaw manifests specifically when parsing MP3 files containing ID3v2 SYLT (synchronized lyrics) frames, creating a scenario where maliciously crafted audio files can trigger unintended behavior in applications that rely on this metadata extraction functionality.
The technical root cause of this vulnerability lies within the _parse_synced_lyrics function which contains a critical logical flaw in its handling of string termination detection. The function makes an erroneous assumption that the _find_string_end_pos helper method will always return a position value that is greater than the current parsing offset. This assumption breaks down when the MP3 file contains a SYLT frame with malformed or incomplete string data where no proper string terminator exists within the remaining frame content. When this condition occurs, the parsing loop becomes trapped in a state where it continuously processes the same data without making meaningful progress, effectively creating a non-terminating loop that consumes system resources indefinitely.
This vulnerability presents significant operational impact for server-side applications that automatically parse user-supplied MP3 files, particularly those implementing automated content processing workflows. Attackers can exploit this weakness by uploading a specially crafted 498-byte MP3 file that triggers the infinite loop condition, causing the parsing process to consume CPU resources without making progress. The attack requires minimal resources from the attacker side while potentially causing substantial disruption to the target system's availability and performance. The vulnerability is particularly dangerous in high-throughput environments where multiple parsing operations might be simultaneously affected, leading to resource exhaustion and potential denial of service conditions.
The vulnerability maps to CWE-835, which specifically addresses the issue of infinite loops in software implementations, and aligns with ATT&CK technique T1499.004 related to network denial of service attacks. Organizations using vulnerable versions of tinytag should immediately upgrade to version 2.2.1 where the fix has been implemented to address the improper handling of string termination detection in the _parse_synced_lyrics function. The mitigation strategy involves not only updating the library but also implementing proper input validation and resource limiting measures for audio file processing workflows. Additionally, organizations should consider implementing timeouts and resource monitoring for parsing operations to prevent similar vulnerabilities from causing system-wide disruptions in other libraries or applications that may exhibit similar patterns of improper loop termination handling.