Well it’s both possible, and has been done. both with mp3s and FLAC, not too long ago. It’s not the format itself, but rather the applications parsing the files that are the target.
CVE-2023-37327: A remote code execution vulnerability in GStreamer’s FLAC file parser caused by an integer overflow. Carefully crafted FLAC files could exploit this flaw to run arbitrary code on the target system
Well it’s both possible, and has been done. both with mp3s and FLAC, not too long ago. It’s not the format itself, but rather the applications parsing the files that are the target.
https://nvd.nist.gov/vuln/detail/CVE-2023-37327#%3A~%3Atext=GStreamer+FLAC%2Ccode+on