CVE-2026-37555
Integer Overflow in libsndfile IMA ADPCM Codec
Publication date: 2026-04-29
Last updated on: 2026-05-01
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| libsndfile_project | libsndfile | 1.2.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-190 | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in libsndfile version 1.2.2 within the IMA ADPCM codec. Specifically, the issue arises because the multiplication of two integer values, samplesperblock and blocks, can exceed the maximum value for a 32-bit integer (INT_MAX). While one code path (AIFF) was fixed by casting to a 64-bit integer type, other code paths (WAV and close) were not fixed. When the product of samplesperblock and blocks overflows, it results in an incorrect frame count.
Since both samplesperblock and blocks are derived from the WAV file header and can be controlled by an attacker, this overflow can cause a heap buffer overflow or denial of service condition.
How can this vulnerability impact me? :
The vulnerability can lead to a heap buffer overflow or denial of service when processing specially crafted WAV files. An attacker could exploit this by providing a malicious WAV file that triggers the integer overflow, potentially causing the application using libsndfile to crash or behave unpredictably.
Can you explain this vulnerability to me?
This vulnerability is an integer overflow issue in the libsndfile 1.2.2 library's IMA ADPCM codec, specifically in the WAV file processing code path. When the product of two integer values, samplesperblock and blocks, exceeds the maximum value for a 32-bit integer (INT_MAX), the multiplication overflows and results in an incorrect, negative frame count.
Because these values come from the WAV file header and can be controlled by an attacker, this overflow can cause the program to miscalculate the number of audio frames, leading to a heap buffer overflow or denial of service.
The issue was partially fixed for the AIFF code path but remained in the WAV code path until addressed in this vulnerability.
How can this vulnerability impact me? :
This vulnerability can lead to a heap buffer overflow or denial of service in applications using the libsndfile library to process WAV files.
An attacker can craft a malicious WAV file with manipulated header values to trigger the integer overflow, causing the application to crash or behave unpredictably.
Such crashes or memory corruption could potentially be exploited to disrupt service or, in some cases, execute arbitrary code depending on the context of the application.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by using fuzzing tools and runtime sanitizers such as UndefinedBehaviorSanitizer (UBSan) to identify signed integer overflows in the libsndfile library.
Specifically, fuzzing tests that trigger arithmetic operations exceeding the maximum representable value for the 'int' type can reveal the issue.
While no direct network detection commands are provided, you can run UBSan-enabled builds of libsndfile and execute fuzzing tests to detect the overflow.
- Compile libsndfile with UBSan enabled (e.g., using clang with -fsanitize=undefined).
- Run fuzzing tools against libsndfile, focusing on files that use the IMA ADPCM codec and WAV file headers.
- Monitor application logs for crashes or heap buffer overflows when processing WAV files with large samplesperblock and blocks values.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update libsndfile to a version that includes the fix for CVE-2026-37555.
The fix involves pre-casting the multiplication operands to a larger integer type (sf_count_t) to prevent integer overflow during frame count calculations.
Until the update is applied, avoid processing untrusted or malformed WAV files that could trigger the overflow by having large samplesperblock and blocks values.
- Apply the patch from the official libsndfile repository that fixes the integer overflow in the ima_reader_init() function.
- Restrict or sanitize input WAV files to ensure samplesperblock * blocks does not exceed safe integer limits.
- Monitor applications using libsndfile for crashes or abnormal behavior and apply security updates promptly.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.