CVE-2026-37555

EUVD-2026-26241

29.04.2026, 16:16

An issue was discovered in libsndfile 1.2.2 IMA ADPCM codec. The AIFF code path (line 241) was fixed with (sf_count_t) cast, but the WAV code path (line 235) and close path (line 167) were not. When samplesperblock (int) * blocks (int) exceeds INT_MAX, the 32-bit multiplication overflows before being assigned to sf.frames (sf_count_t/int64). With samplesperblock=50000 and blocks=50000, the product 2500000000 overflows to -1794967296. This causes incorrect frame count leading to heap buffer overflow or denial of service. Both values come from the WAV file header and are attacker-controlled. This issue was discovered after an incomplete fix for CVE-2022-33065.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 20%

Affected Products (NVD)

Vendor	Product	Version
libsndfile_project	libsndfile	1.2.2

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

libsndfile

bookworm	postponed
bullseye	postponed
bullseye (security)	vulnerable
forky	vulnerable
sid	vulnerable
trixie	postponed

openSUSE / SLES Releases

openSUSE Product

Release

libsndfile-devel

suse enterprise desktop 15 SP7	1.0.28-150000.5.23.1 fixed
suse enterprise sap 15 SP4	1.0.28-150000.5.23.1 fixed
suse enterprise sap 15 SP5	1.0.28-150000.5.23.1 fixed
suse enterprise sap 15 SP6	1.0.28-150000.5.23.1 fixed
suse enterprise sap 15 SP7	1.0.28-150000.5.23.1 fixed
suse enterprise server 12 SP5	1.0.25-36.32.1 fixed
suse enterprise server 15 SP4	1.0.28-150000.5.23.1 fixed
suse enterprise server 15 SP5	1.0.28-150000.5.23.1 fixed
suse enterprise server 15 SP6	1.0.28-150000.5.23.1 fixed
suse enterprise server 15 SP7	1.0.28-150000.5.23.1 fixed

libsndfile1

suse enterprise desktop 15 SP7	1.0.28-150000.5.23.1 fixed
suse enterprise sap 15 SP4	1.0.28-150000.5.23.1 fixed
suse enterprise sap 15 SP5	1.0.28-150000.5.23.1 fixed
suse enterprise sap 15 SP6	1.0.28-150000.5.23.1 fixed
suse enterprise sap 15 SP7	1.0.28-150000.5.23.1 fixed
suse enterprise server 12 SP3	1.0.25-36.32.1 fixed
suse enterprise server 12 SP5	1.0.25-36.32.1 fixed
suse enterprise server 15 SP4	1.0.28-150000.5.23.1 fixed
suse enterprise server 15 SP5	1.0.28-150000.5.23.1 fixed
suse enterprise server 15 SP6	1.0.28-150000.5.23.1 fixed
suse enterprise server 15 SP7	1.0.28-150000.5.23.1 fixed

libsndfile1-32bit

suse enterprise server 12 SP3	1.0.25-36.32.1 fixed
suse enterprise server 12 SP5	1.0.25-36.32.1 fixed

Red Hat Enterprise Linux Releases

Red Hat Product

Release

libsndfile

RHEL 8	0:1.0.28-17.el8_10 fixed
RHEL 8.8 E4S	0:1.0.28-14.el8_8 fixed
RHEL 8.8 TUS	0:1.0.28-14.el8_8 fixed
RHEL 9	0:1.0.31-9.el9_8.1 fixed

libsndfile-devel

RHEL 8	0:1.0.28-17.el8_10 fixed
RHEL 9	0:1.0.31-9.el9_8.1 fixed

libsndfile-utils

RHEL 8	0:1.0.28-17.el8_10 fixed
RHEL 8.8 E4S	0:1.0.28-14.el8_8 fixed
RHEL 8.8 TUS	0:1.0.28-14.el8_8 fixed
RHEL 9	0:1.0.31-9.el9_8.1 fixed

Known Exploits!

https://gist.github.com/sgInnora/a5f5c19e4bf6f4fb74fab7b0ef2bfcc1

Common Weakness Enumeration

CWE-190 - Integer Overflow or Wraparound
The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.

Vulnerability Media Exposure

[GERMAN] libsndfile: Schwachstelle ermöglicht Denial of Service
Ein entfernter, anonymer Angreifer kann eine Schwachstelle in libsndfile ausnutzen, um einen Denial of Service Angriff durchzuführen.
Published: 2026-04-29T22:00:00+00:00

References

https://gist.github.com/sgInnora/a5f5c19e4bf6f4fb74fab7b0ef2bfcc1

https://github.com/libsndfile/libsndfile/commit/9a829113c88a51e57c1e46473e90609e4b7df151

https://github.com/libsndfile/libsndfile/issues/833