CVE-2026-41445 Overview
KissFFT before commit 8a8e66e contains an integer overflow vulnerability in the kiss_fftndr_alloc() function within kiss_fftndr.c. The allocation size calculation dimOther*(dimReal+2)*sizeof(kiss_fft_scalar) overflows signed 32-bit integer arithmetic before being widened to size_t, causing malloc() to allocate an undersized buffer. Attackers can trigger a heap buffer overflow by providing crafted dimensions that cause the multiplication to exceed INT_MAX, allowing writes beyond the allocated buffer region when kiss_fftndr() processes the data.
Critical Impact
Exploitation of this integer overflow can result in heap buffer overflow, potentially leading to arbitrary code execution, denial of service, or memory corruption in applications using the KissFFT library.
Affected Products
- KissFFT versions prior to commit 8a8e66e33d692bad1376fe7904d87d767730537f
- Applications integrating vulnerable versions of the KissFFT library
- Audio/signal processing software utilizing KissFFT for FFT operations
Discovery Timeline
- 2026-04-20 - CVE-2026-41445 published to NVD
- 2026-04-20 - Last updated in NVD database
Technical Details for CVE-2026-41445
Vulnerability Analysis
This vulnerability stems from improper integer handling in the FFT allocation routine. The kiss_fftndr_alloc() function performs dimension calculations using signed 32-bit integer arithmetic. When an attacker provides carefully crafted dimension values, the multiplication operation can wrap around due to integer overflow, resulting in a small positive value instead of the expected large allocation size.
The undersized buffer returned by malloc() is then used to store FFT computation results. When kiss_fftndr() subsequently processes data using the full expected dimensions, it writes beyond the allocated memory region, causing a classic heap buffer overflow condition (CWE-122).
This vulnerability is particularly concerning for applications that accept untrusted input for FFT dimension parameters, such as audio processing libraries, image manipulation tools, or scientific computing applications.
Root Cause
The root cause is the use of int (signed 32-bit) type for the dimOther variable and the prod() helper function return value. When multiplying large dimension values together, the result can exceed INT_MAX (2,147,483,647), causing signed integer overflow which is undefined behavior in C. The wrapped value is then used as the size argument to malloc(), resulting in an undersized allocation.
Attack Vector
An attacker can exploit this vulnerability by providing malicious FFT dimension parameters to any application using the vulnerable KissFFT library. The attack requires:
- Supplying dimension values where their product exceeds INT_MAX
- The application must pass these dimensions to kiss_fftndr_alloc()
- When kiss_fftndr() processes data using these dimensions, the heap overflow occurs
The network attack vector applies when applications accept FFT parameters from network sources, such as audio streaming services or remote data processing APIs.
struct kiss_fftndr_state
{
int dimReal;
- int dimOther;
+ size_t dimOther;
kiss_fftr_cfg cfg_r;
kiss_fftnd_cfg cfg_nd;
void * tmpbuf;
};
-static int prod(const int *dims, int ndims)
+static size_t prod(const int *dims, int ndims)
{
- int x=1;
+ size_t x=1;
while (ndims--)
x *= *dims++;
return x;
Source: GitHub Commit Update
The patch changes dimOther and the prod() function return type from int to size_t, ensuring proper handling of large dimension values without signed integer overflow.
Detection Methods for CVE-2026-41445
Indicators of Compromise
- Abnormal memory allocation patterns in applications using KissFFT
- Application crashes with heap corruption errors during FFT operations
- Unexpected dimension values in FFT function call logs exceeding typical use cases
- Memory access violations in kiss_fftndr() or related functions
Detection Strategies
- Monitor for unusually large dimension parameters passed to FFT allocation functions
- Implement static code analysis to identify KissFFT library versions in use
- Use address sanitizers (ASAN) during development to detect heap buffer overflows
- Deploy runtime memory protection mechanisms to detect out-of-bounds writes
Monitoring Recommendations
- Enable application crash monitoring for heap-related exceptions
- Log FFT dimension parameters for anomaly detection in production environments
- Implement input validation metrics to track dimension value ranges
- Monitor for memory corruption indicators in signal processing pipelines
How to Mitigate CVE-2026-41445
Immediate Actions Required
- Update KissFFT to commit 8a8e66e33d692bad1376fe7904d87d767730537f or later
- Audit applications for usage of kiss_fftndr_alloc() with untrusted input
- Implement input validation to reject unreasonably large dimension values
- Consider temporarily disabling affected functionality if patching is not immediately possible
Patch Information
The vulnerability has been addressed in the KissFFT repository. The fix changes the dimOther variable and prod() function return type from int to size_t to prevent signed integer overflow during dimension calculations. Apply the patch by updating to commit 8a8e66e33d692bad1376fe7904d87d767730537f or later.
For additional details, refer to the VulnCheck Advisory on KissFFT.
Workarounds
- Validate all FFT dimension inputs to ensure products do not approach INT_MAX
- Implement bounds checking on dimension parameters before calling KissFFT functions
- Use memory-safe wrappers around KissFFT allocation functions
- Deploy exploit mitigation technologies such as ASLR and heap canaries
# Example input validation for FFT dimensions
# Reject dimension products that could cause overflow
MAX_SAFE_PRODUCT=$((2147483647 / 4)) # Account for sizeof(kiss_fft_scalar)
# Validate that dim1 * dim2 * (dimReal + 2) < MAX_SAFE_PRODUCT before calling kiss_fftndr_alloc
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
