CVE-2026-37555
Published: 29 April 2026
Summary
CVE-2026-37555 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Libsndfile Project Libsndfile. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates timely identification, reporting, and correction of flaws like the integer overflow in libsndfile 1.2.2, preventing exploitation through patching.
Requires validation of attacker-controlled samplesperblock and blocks values from WAV file headers to avert integer overflow during multiplication.
Provides memory protections to mitigate heap buffer overflows resulting from incorrect sf.frames calculation due to the integer overflow.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Integer overflow in libsndfile enables remote exploitation of public-facing apps processing malicious WAV files, causing heap buffer overflow or application crash for DoS.
NVD Description
An issue was discovered in libsndfile 1.2.2 IMA ADPCM codec. The AIFF code path (line 241) was fixed with (sf_count_t) cast, but the WAV code path (line 235) and close path (line 167) were not. When samplesperblock (int) * blocks…
more
(int) exceeds INT_MAX, the 32-bit multiplication overflows before being assigned to sf.frames (sf_count_t/int64). With samplesperblock=50000 and blocks=50000, the product 2500000000 overflows to -1794967296. This causes incorrect frame count leading to heap buffer overflow or denial of service. Both values come from the WAV file header and are attacker-controlled. This issue was discovered after an incomplete fix for CVE-2022-33065.
Deeper analysisAI
CVE-2026-37555 is an integer overflow vulnerability (CWE-190) in the IMA ADPCM codec of libsndfile version 1.2.2. The issue stems from an incomplete fix for CVE-2022-33065, where a cast to sf_count_t was applied to the AIFF code path at line 241, but not to the WAV code path at line 235 or the close path at line 167. When the attacker-controlled values samplesperblock and blocks from a WAV file header are multiplied and exceed INT_MAX—such as 50000 * 50000 resulting in an overflow to -1794967296—the product overflows before assignment to sf.frames (an sf_count_t or int64_t), leading to an incorrect frame count.
The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating network-accessible exploitation with low complexity and no privileges required. An attacker can craft a malicious WAV file embedding large samplesperblock and blocks values, tricking a vulnerable libsndfile-based application into processing it. This triggers the overflow, causing either a heap buffer overflow or denial of service through application crash.
Mitigation involves applying the fix from the libsndfile commit 9a829113c88a51e57c1e46473e90609e4b7df151, which addresses the missing casts. Additional details are available in GitHub issues #833 and a related gist at https://gist.github.com/sgInnora/a5f5c19e4bf6f4fb74fab7b0ef2bfcc1. Security practitioners should audit dependencies using libsndfile 1.2.2 and ensure updates to patched versions.
Details
- CWE(s)