Description
An issue was discovered in libsndfile 1.2.2 IMA ADPCM codec. The AIFF code path (line 241) was fixed with (sf_count_t) cast, but the WAV code path (line 235) and close path (line 167) were not. When samplesperblock (int) * blocks (int) exceeds INT_MAX, the 32-bit multiplication overflows before being assigned to sf.frames (sf_count_t/int64). With samplesperblock=50000 and blocks=50000, the product 2500000000 overflows to -1794967296. This causes incorrect frame count leading to heap buffer overflow or denial of service. Both values come from the WAV file header and are attacker-controlled. This issue was discovered after an incomplete fix for CVE-2022-33065.
Published: 2026-04-29
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An integer overflow bug has been identified in libsndfile 1.2.2’s IMA ADPCM codec. In the WAV handling path the product of an integer field "samplesperblock" and another field "blocks" is calculated with a 32‑bit multiplication. When the 50000*50000 product (2.5 billion) exceeds the 32‑bit signed range, the value overflows to a negative number before being assigned to a 64‑bit frame counter. This incorrect frame count can lead to a heap buffer overflow or a denial‑of‑service condition. The overflow originates from data supplied in the WAV file header, which an attacker can control, so the vulnerability is exploitable via a crafted audio file.

Affected Systems

Any installation of libsndfile 1.2.2 that employs the IMA ADPCM codec is affected. The gap was left unpatched after an incomplete fix for a prior CVE. All systems processing user‑supplied WAV files with this library version are at risk.

Risk and Exploitability

The vulnerability admits a local or remote attacker who can supply a malicious WAV header to trigger the overflow. Because the library allocates memory based on the corrupted frame count, the condition can lead to arbitrary code execution or a crash, resulting in denial of service. No EPSS score is available and the issue is not listed in CISA’s KEV catalog, but the classic integer overflow bug coupled with an unbounded heap allocation clearly signals a high severity risk.

Generated by OpenCVE AI on April 29, 2026 at 21:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update libsndfile to the latest released version that incorporates the fix from the referenced commit
  • Sanitize the "samplesperblock" and "blocks" header values before performing the multiplication; reject any values that would cause the product to exceed the 32‑bit limit
  • If an update is not immediately possible, avoid processing untrusted audio files or disable the IMA ADPCM codec for external inputs

Generated by OpenCVE AI on April 29, 2026 at 21:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:libsndfile_project:libsndfile:1.2.2:*:*:*:*:*:*:*

Thu, 30 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
References

Thu, 30 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Libsndfile Project
Libsndfile Project libsndfile
Vendors & Products Libsndfile Project
Libsndfile Project libsndfile

Wed, 29 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Title Overflow in WAV Header Field Causes Heap Buffer Overrun in libsndfile's IMA ADPCM Codec
Weaknesses CWE-119
CWE-20

Wed, 29 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Description An issue was discovered in libsndfile 1.2.2 IMA ADPCM codec. The AIFF code path (line 241) was fixed with (sf_count_t) cast, but the WAV code path (line 235) and close path (line 167) were not. When samplesperblock (int) * blocks (int) exceeds INT_MAX, the 32-bit multiplication overflows before being assigned to sf.frames (sf_count_t/int64). With samplesperblock=50000 and blocks=50000, the product 2500000000 overflows to -1794967296. This causes incorrect frame count leading to heap buffer overflow or denial of service. Both values come from the WAV file header and are attacker-controlled. This issue was discovered after an incomplete fix for CVE-2022-33065.
References

Subscriptions

Libsndfile Project Libsndfile
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-30T19:42:09.044Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37555

cve-icon Vulnrichment

Updated: 2026-04-29T19:30:54.330Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-29T16:16:23.410

Modified: 2026-05-01T18:37:59.183

Link: CVE-2026-37555

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T08:15:31Z

Weaknesses