KissFFT Integer Overflow: Heap Corruption Risk in Signal Processing

The National Vulnerability Database (NVD) has identified a critical integer overflow vulnerability, CVE-2026-41445, within the KissFFT library. This flaw resides in the kiss_fftndr_alloc() function in kiss_fftndr.c. An attacker can exploit this by crafting specific input dimensions that cause the calculation of the allocation size to exceed the limits of signed 32-bit integer arithmetic. This overflow leads to malloc() allocating a buffer smaller than intended. When kiss_fftndr() processes data using this undersized buffer, it can result in a heap buffer overflow, allowing malicious writes beyond the allocated memory region.

The CVSS score of 8.8 (HIGH) underscores the severity of this issue. The vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) indicates a network-attackable vulnerability requiring user interaction, with a high impact on confidentiality, integrity, and availability. While specific affected products are not detailed by the NVD, any application or system that incorporates this version of KissFFT for its signal processing capabilities is potentially at risk.

Defenders should prioritize identifying and updating any instances of KissFFT where this vulnerability may be present. Given that the vulnerability can be triggered remotely with user interaction, patching or replacing vulnerable library versions is paramount. Organizations relying on third-party software that utilizes KissFFT should actively seek vendor advisories and apply updates promptly. The attacker’s calculus is simple: find an application using vulnerable KissFFT, craft malicious input, and trigger a crash or code execution.