CVE-2026-37555
Received Received - Intake
Integer Overflow in libsndfile IMA ADPCM Codec

Publication date: 2026-04-29

Last updated on: 2026-05-01

Assigner: MITRE

Description
An issue was discovered in libsndfile 1.2.2 IMA ADPCM codec. The AIFF code path (line 241) was fixed with (sf_count_t) cast, but the WAV code path (line 235) and close path (line 167) were not. When samplesperblock (int) * blocks (int) exceeds INT_MAX, the 32-bit multiplication overflows before being assigned to sf.frames (sf_count_t/int64). With samplesperblock=50000 and blocks=50000, the product 2500000000 overflows to -1794967296. This causes incorrect frame count leading to heap buffer overflow or denial of service. Both values come from the WAV file header and are attacker-controlled. This issue was discovered after an incomplete fix for CVE-2022-33065.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-29
Last Modified
2026-05-01
Generated
2026-06-16
AI Q&A
2026-04-29
EPSS Evaluated
2026-06-15
NVD
CVE-2026-37555
EUVD
EUVD-2026-26241
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
libsndfile_project libsndfile 1.2.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in libsndfile version 1.2.2 within the IMA ADPCM codec. Specifically, the issue arises because the multiplication of two integer values, samplesperblock and blocks, can exceed the maximum value for a 32-bit integer (INT_MAX). While one code path (AIFF) was fixed by casting to a 64-bit integer type, other code paths (WAV and close) were not fixed. When the product of samplesperblock and blocks overflows, it results in an incorrect frame count.

Since both samplesperblock and blocks are derived from the WAV file header and can be controlled by an attacker, this overflow can cause a heap buffer overflow or denial of service condition.

Impact Analysis

The vulnerability can lead to a heap buffer overflow or denial of service when processing specially crafted WAV files. An attacker could exploit this by providing a malicious WAV file that triggers the integer overflow, potentially causing the application using libsndfile to crash or behave unpredictably.

Executive Summary

This vulnerability is an integer overflow issue in the libsndfile 1.2.2 library's IMA ADPCM codec, specifically in the WAV file processing code path. When the product of two integer values, samplesperblock and blocks, exceeds the maximum value for a 32-bit integer (INT_MAX), the multiplication overflows and results in an incorrect, negative frame count.

Because these values come from the WAV file header and can be controlled by an attacker, this overflow can cause the program to miscalculate the number of audio frames, leading to a heap buffer overflow or denial of service.

The issue was partially fixed for the AIFF code path but remained in the WAV code path until addressed in this vulnerability.

Impact Analysis

This vulnerability can lead to a heap buffer overflow or denial of service in applications using the libsndfile library to process WAV files.

An attacker can craft a malicious WAV file with manipulated header values to trigger the integer overflow, causing the application to crash or behave unpredictably.

Such crashes or memory corruption could potentially be exploited to disrupt service or, in some cases, execute arbitrary code depending on the context of the application.

Detection Guidance

This vulnerability can be detected by using fuzzing tools and runtime sanitizers such as UndefinedBehaviorSanitizer (UBSan) to identify signed integer overflows in the libsndfile library.

Specifically, fuzzing tests that trigger arithmetic operations exceeding the maximum representable value for the 'int' type can reveal the issue.

While no direct network detection commands are provided, you can run UBSan-enabled builds of libsndfile and execute fuzzing tests to detect the overflow.

  • Compile libsndfile with UBSan enabled (e.g., using clang with -fsanitize=undefined).
  • Run fuzzing tools against libsndfile, focusing on files that use the IMA ADPCM codec and WAV file headers.
  • Monitor application logs for crashes or heap buffer overflows when processing WAV files with large samplesperblock and blocks values.
Mitigation Strategies

To mitigate this vulnerability, update libsndfile to a version that includes the fix for CVE-2026-37555.

The fix involves pre-casting the multiplication operands to a larger integer type (sf_count_t) to prevent integer overflow during frame count calculations.

Until the update is applied, avoid processing untrusted or malformed WAV files that could trigger the overflow by having large samplesperblock and blocks values.

  • Apply the patch from the official libsndfile repository that fixes the integer overflow in the ima_reader_init() function.
  • Restrict or sanitize input WAV files to ensure samplesperblock * blocks does not exceed safe integer limits.
  • Monitor applications using libsndfile for crashes or abnormal behavior and apply security updates promptly.
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-37555. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart