Fluid Attacks Database

Description

An issue was discovered in libsndfile 1.2.2 IMA ADPCM codec. The AIFF code path (line 241) was fixed with (sf_count_t) cast, but the WAV code path (line 235) and close path (line 167) were not. When samplesperblock (int) * blocks (int) exceeds INT_MAX, the 32-bit multiplication overflows before being assigned to sf.frames (sf_count_t/int64). With samplesperblock=50000 and blocks=50000, the product 2500000000 overflows to -1794967296. This causes incorrect frame count leading to heap buffer overflow or denial of service. Both values come from the WAV file header and are attacker-controlled. This issue was discovered after an incomplete fix for CVE-2022-33065.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	libsndfile	=1.0.31-2 \|\| =1.0.31-2+deb11u1 \|\| =1.0.31-2+deb11u2 \|\| =1.1.0-1 \|\| =1.1.0-2 \|\| =1.1.0-3 \|\| =1.2.0-1 \|\| =1.2.2-1 \|\| =1.2.2-1+hurd.1 \|\| =1.2.2-1+hurd.2 \|\| =1.2.2-1+hurd.3 \|\| =1.2.2-2 \|\| =1.2.2-3 \|\| =1.2.2-4	-
debian 12	libsndfile	=1.2.0-1 \|\| =1.2.0-1+deb12u1 \|\| =1.2.2-1 \|\| =1.2.2-1+hurd.1 \|\| =1.2.2-1+hurd.2 \|\| =1.2.2-1+hurd.3 \|\| =1.2.2-2 \|\| =1.2.2-3 \|\| =1.2.2-4	-
debian 13	libsndfile	=1.2.2-2 \|\| =1.2.2-2+deb13u1 \|\| =1.2.2-3 \|\| =1.2.2-4	-
debian 14	libsndfile	=1.2.2-2 \|\| =1.2.2-3 \|\| =1.2.2-4	-
rpm rhel6	libsndfile	-	-
rpm rhel7	libsndfile	-	-
rpm rhel8	libsndfile	<0:1.0.28-17.el8_10	0:1.0.28-17.el8_10
rpm rhel9	libsndfile	<0:1.0.31-9.el9_8.1	0:1.0.31-9.el9_8.1
rpm rhel10	libsndfile	<0:1.2.2-6.el10_2.1	0:1.2.2-6.el10_2.1
rpm rhel9.6	libsndfile	<0:1.0.31-9.el9_6.1	0:1.0.31-9.el9_6.1

Aliases

1. CVE-2026-375552. NVD-2026-375553. OSV-DEBIAN-2026-375554. OSV-2026-375555. SECURITY-TRACKER-CVE-2026-37555

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.