CVE-2026-37555
published 2026-04-29CVE-2026-37555: An issue was discovered in libsndfile 1.2.2 IMA ADPCM codec. The AIFF code path (line 241) was fixed with (sf_count_t) cast, but the WAV code path (line 235)…
PriorityP342high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.50%
39.3th percentile
An issue was discovered in libsndfile 1.2.2 IMA ADPCM codec. The AIFF code path (line 241) was fixed with (sf_count_t) cast, but the WAV code path (line 235) and close path (line 167) were not. When samplesperblock (int) * blocks (int) exceeds INT_MAX, the 32-bit multiplication overflows before being assigned to sf.frames (sf_count_t/int64). With samplesperblock=50000 and blocks=50000, the product 2500000000 overflows to -1794967296. This causes incorrect frame count leading to heap buffer overflow or denial of service. Both values come from the WAV file header and are attacker-controlled. This issue was discovered after an incomplete fix for CVE-2022-33065.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| libsndfile_project | libsndfile | — | — |
| libsndfile_project | libsndfile | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
libsndfile 1.2.2 WAV File buffer overflow (Issue 833 / EUVD-2026-26241)
vuldb·2026-04-29·CVSS 7.5
CVE-2026-37555 [HIGH] libsndfile 1.2.2 WAV File buffer overflow (Issue 833 / EUVD-2026-26241)
A vulnerability categorized as critical has been discovered in libsndfile 1.2.2. Affected is an unknown function of the component WAV File Handler. Executing a manipulation can lead to buffer overflow.
This vulnerability is tracked as CVE-2026-37555. The attack can be launched remotely. No exploit exists.
It is advisable to implement a patch to correct this issue.
GHSA
GHSA-x46m-7mvp-6fvq: An issue was discovered in libsndfile 1
ghsa_unreviewed·2026-04-29·CVSS 7.8
CVE-2026-37555 [HIGH] CWE-190 GHSA-x46m-7mvp-6fvq: An issue was discovered in libsndfile 1
An issue was discovered in libsndfile 1.2.2 IMA ADPCM codec. The AIFF code path (line 241) was fixed with (sf_count_t) cast, but the WAV code path (line 235) and close path (line 167) were not. When samplesperblock (int) * blocks (int) exceeds INT_MAX, the 32-bit multiplication overflows before being assigned to sf.frames (sf_count_t/int64). With samplesperblock=50000 and blocks=50000, the product 2500000000 overflows to -1794967296. This causes incorrect frame count leading to heap buffer overflow or denial of service. Both values come from the WAV file header and are attacker-controlled. This issue was discovered after an incomplete fix for CVE-2022-33065.
Red Hat
libsndfile: integer overflow in ima_reader_init()
vendor_redhat·2026-04-29·CVSS 7.5
CVE-2026-37555 [HIGH] CWE-190 libsndfile: integer overflow in ima_reader_init()
libsndfile: integer overflow in ima_reader_init()
A flaw was found in the libsndfile library. An integer overflow in the IMA ADPCM codec can occur when a specially crafted WAV audio file is processed, specifically with malicious samplesperblock and blocks values. This can lead to a heap-based buffer overflow, causing a crash to the application linked to the library and memory corruption.
Statement: To exploit this issue, an attacker needs to be able to process a malicious WAV file with an application linked to the libsndfile library.
Default Red Hat Enterprise Linux security features, including SELinux enforcement, Address Space Layout Randomization (ASLR) and NX (No-Execute) stack protection, significantly increase the difficulty of achieving arbitrary code execution, limiting the impac
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-37555 libsndfile: integer overflow in ima_reader_init() [fedora-all]
bugzilla·2026-05-07·CVSS 7.5
CVE-2026-37555 [HIGH] CVE-2026-37555 libsndfile: integer overflow in ima_reader_init() [fedora-all]
CVE-2026-37555 libsndfile: integer overflow in ima_reader_init() [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-37555 libsndfile: integer overflow in ima_reader_init()
bugzilla·2026-04-29·CVSS 7.8
CVE-2026-37555 [HIGH] CVE-2026-37555 libsndfile: integer overflow in ima_reader_init()
CVE-2026-37555 libsndfile: integer overflow in ima_reader_init()
An issue was discovered in libsndfile 1.2.2 IMA ADPCM codec. The AIFF code path (line 241) was fixed with (sf_count_t) cast, but the WAV code path (line 235) and close path (line 167) were not. When samplesperblock (int) * blocks (int) exceeds INT_MAX, the 32-bit multiplication overflows before being assigned to sf.frames (sf_count_t/int64). With samplesperblock=50000 and blocks=50000, the product 2500000000 overflows to -1794967296. This causes incorrect frame count leading to heap buffer overflow or denial of service. Both values come from the WAV file header and are attacker-controlled. This issue was discovered after an incomplete fix for CVE-2022-33065.
https://gist.github.com/sgInnora/a5f5c19e4bf6f4fb74fab7b0ef2bfcc1https://github.com/libsndfile/libsndfile/commit/9a829113c88a51e57c1e46473e90609e4b7df151https://github.com/libsndfile/libsndfile/issues/833https://access.redhat.com/errata/RHSA-2026:19559https://access.redhat.com/errata/RHSA-2026:19560https://access.redhat.com/errata/RHSA-2026:19610https://access.redhat.com/errata/RHSA-2026:23221https://access.redhat.com/errata/RHSA-2026:23222https://access.redhat.com/errata/RHSA-2026:23223https://access.redhat.com/errata/RHSA-2026:25092https://access.redhat.com/errata/RHSA-2026:25197https://access.redhat.com/errata/RHSA-2026:25198https://access.redhat.com/errata/RHSA-2026:25227https://access.redhat.com/errata/RHSA-2026:30078https://access.redhat.com/errata/RHSA-2026:30087https://access.redhat.com/errata/RHSA-2026:30088https://access.redhat.com/errata/RHSA-2026:30089https://access.redhat.com/security/cve/CVE-2026-37555https://bugzilla.redhat.com/show_bug.cgi?id=2463856https://github.com/libsndfile/libsndfile/issues/833https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-37555.json
2026-04-29
Published