CVE-2026-37555

An issue was discovered in libsndfile 1.2.2 IMA ADPCM codec. The AIFF code path (line 241) was fixed with (sfcountt) cast, but the WAV code path (line 235) and close path (line 167) were not. When samplesperblock (int) * blocks (int) exceeds INTMAX, the 32-bit multiplication overflows before being assigned to sf.frames (sfcount_t/int64). With samplesperblock=50000 and blocks=50000, the product 2500000000 overflows to -1794967296. This causes incorrect frame count leading to heap buffer overflow or denial of service. Both values come from the WAV file header and are attacker-controlled. This issue was discovered after an incomplete fix for CVE-2022-33065.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/37xxx/CVE-2026-37555.json",
    "cna_assigner": "mitre"
}

References

Affected packages

Git / github.com/libsndfile/libsndfile

Affected ranges

Type

GIT

Repo

https://github.com/libsndfile/libsndfile

Events

Introduced

Fixed

9a829113c88a51e57c1e46473e90609e4b7df151

Database specific

{
    "source": [
        "CPE_STRING",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.2.2"
        }
    ],
    "cpe": "cpe:2.3:a:libsndfile_project:libsndfile:1.2.2:*:*:*:*:*:*:*"
}

Affected versions

1.*

1.0.25

1.0.26

1.0.27

1.0.28

1.0.31

1.1.0

1.1.0beta1

1.1.0beta2

1.2.0

1.2.1

1.2.2

v1.*

v1.0.29

v1.0.30

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-37555.json"