An issue was discovered in libsndfile 1.2.2 IMA ADPCM codec. The AIFF code path (line 241) was fixed with (sf_count_t) cast, but the WAV code path (line 235) and close path (line 167) were not. When samplesperblock (int) * blocks (int) exceeds INT_MAX, the 32-bit multiplication overflows before being assigned to sf.frames (sf_count_t/int64). With samplesperblock=50000 and blocks=50000, the product 2500000000 overflows to -1794967296. This causes incorrect frame count leading to heap buffer overflow or denial of service. Both values come from the WAV file header and are attacker-controlled. This issue was discovered after an incomplete fix for CVE-2022-33065.
Casky was already ahead
This CVE exploits attack patterns that Casky's 255matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
CVE-2026-37555 is an integer overflow vulnerability in libsndfile's IMA ADPCM codec affecting both WAV and AIFF audio file processing. The flaw occurs when calculating total frame counts: multiplying samplesperblock (int) by blocks (int) can exceed INT_MAX before assignment to a 64-bit variable, causing silent wraparound to negative values. This miscalculation leads to incorrect frame counts and subsequent heap buffer overflows during audio decoding. The vulnerability affects any application using libsndfile 1.2.2 or earlier to process crafted audio files—including media players, audio editors, streaming services, and security tools that analyze multimedia content. Attackers can trigger this through specially crafted AIFF or WAV files, making it a vector for remote code execution or denial of service.
Casky's 255 mapped skills detect this vulnerability through Claude AI's analysis of two critical MITRE ATT&CK techniques: TA0002 (Execution) and TA0003 (Persistence). The platform identifies attack patterns by correlating memory corruption indicators (buffer overflow signals from heap state analysis), input validation gaps (unchecked arithmetic operations on untrusted file headers), and exploitation behaviors (unexpected process termination, memory access violations, or post-compromise persistence). Practitioners using Casky would see findings highlighting unsafe integer arithmetic in audio codec implementations, detection of crafted file headers designed to trigger overflow conditions, and patterns consistent with exploited memory corruption—enabling proactive patching before files reach processing pipelines and reducing exposure to both remote execution and supply chain attack scenarios.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
These skills use Claude AI's reasoning model to surface findings in the same attack categories as CVE-2026-37555.
Casky has 255 skills that investigate the attack patterns behind CVE-2026-37555. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →analyzing-browser-forensics-with-hindsight
digital forensics · low
analyzing-cobalt-strike-beacon-configuration
malware analysis · medium
analyzing-cobaltstrike-malleable-c2-profiles
malware analysis · medium
analyzing-command-and-control-communication
malware analysis · medium
analyzing-disk-image-with-autopsy
digital forensics · low
analyzing-dns-logs-for-exfiltration
soc operations · low
analyzing-docker-container-forensics
digital forensics · low
analyzing-email-headers-for-phishing-investigation
digital forensics · low
analyzing-golang-malware-with-ghidra
malware analysis · medium
analyzing-heap-spray-exploitation
malware analysis · medium
analyzing-kubernetes-audit-logs
container security · low
analyzing-linux-elf-malware
malware analysis · medium
analyzing-linux-kernel-rootkits
digital forensics · low
analyzing-linux-system-artifacts
digital forensics · low
analyzing-lnk-file-and-jump-list-artifacts
digital forensics · low
analyzing-macro-malware-in-office-documents
malware analysis · medium
analyzing-malicious-pdf-with-peepdf
malware analysis · medium
analyzing-malware-behavior-with-cuckoo-sandbox
malware analysis · medium
analyzing-malware-persistence-with-autoruns
malware analysis · medium
analyzing-malware-sandbox-evasion-techniques
malware analysis · medium
analyzing-memory-dumps-with-volatility
malware analysis · medium
analyzing-mft-for-deleted-file-recovery
digital forensics · low
analyzing-network-covert-channels-in-malware
malware analysis · medium
analyzing-network-traffic-of-malware
malware analysis · medium
analyzing-outlook-pst-for-email-forensics
digital forensics · low
analyzing-packed-malware-with-upx-unpacker
malware analysis · medium
analyzing-pdf-malware-with-pdfid
malware analysis · medium
analyzing-persistence-mechanisms-in-linux
threat hunting · low
analyzing-powershell-empire-artifacts
threat hunting · low
analyzing-prefetch-files-for-execution-history
digital forensics · low
analyzing-ransomware-encryption-mechanisms
malware analysis · medium
analyzing-ransomware-network-indicators
threat hunting · low
analyzing-slack-space-and-file-system-artifacts
digital forensics · low
analyzing-supply-chain-malware-artifacts
malware analysis · medium
analyzing-usb-device-connection-history
digital forensics · low
analyzing-windows-amcache-artifacts
digital forensics · low
analyzing-windows-event-logs-in-splunk
soc operations · low
analyzing-windows-lnk-files-for-artifacts
digital forensics · low
analyzing-windows-prefetch-with-python
digital forensics · low
analyzing-windows-registry-for-artifacts
digital forensics · low
analyzing-windows-shellbag-artifacts
digital forensics · low
building-automated-malware-submission-pipeline
soc operations · low
building-c2-infrastructure-with-sliver-framework
red teaming · high
building-detection-rule-with-splunk-spl
soc operations · low
building-detection-rules-with-sigma
soc operations · low
building-incident-response-dashboard
soc operations · low
building-red-team-c2-infrastructure-with-havoc
red teaming · high
building-soc-escalation-matrix
soc operations · low
building-soc-metrics-and-kpi-tracking
soc operations · low
building-soc-playbook-for-ransomware
soc operations · low
building-threat-hunt-hypothesis-framework
threat hunting · low
building-threat-intelligence-enrichment-in-splunk
soc operations · low
building-threat-intelligence-feed-integration
soc operations · low
building-vulnerability-scanning-workflow
soc operations · low
conducting-api-security-testing
penetration testing · medium
conducting-domain-persistence-with-dcsync
red teaming · high
conducting-external-reconnaissance-with-osint
penetration testing · medium
conducting-full-scope-red-team-engagement
red teaming · high
conducting-internal-network-penetration-test
penetration testing · medium
conducting-internal-reconnaissance-with-bloodhound-ce
red teaming · high
conducting-mobile-app-penetration-test
penetration testing · medium
conducting-network-penetration-test
penetration testing · medium
conducting-pass-the-ticket-attack
red teaming · high
conducting-social-engineering-penetration-test
penetration testing · medium
conducting-social-engineering-pretext-call
red teaming · high
conducting-spearphishing-simulation-campaign
red teaming · high
conducting-wireless-network-penetration-test
penetration testing · medium
configuring-host-based-intrusion-detection
endpoint security · low
configuring-windows-defender-advanced-settings
endpoint security · low
configuring-windows-event-logging-for-detection
endpoint security · low
correlating-security-events-in-qradar
soc operations · low
deobfuscating-javascript-malware
malware analysis · medium
deobfuscating-powershell-obfuscated-malware
malware analysis · medium
deploying-edr-agent-with-crowdstrike
endpoint security · low
deploying-osquery-for-endpoint-monitoring
endpoint security · low
detecting-container-drift-at-runtime
container security · low
detecting-container-escape-attempts
container security · low
detecting-container-escape-with-falco-rules
container security · low
detecting-dcsync-attack-in-active-directory
threat hunting · low
detecting-dll-sideloading-attacks
threat hunting · low
detecting-email-forwarding-rules-attack
threat hunting · low
detecting-evasion-techniques-in-endpoint-logs
endpoint security · low
detecting-fileless-attacks-on-endpoints
endpoint security · low
detecting-fileless-malware-techniques
malware analysis · medium
detecting-golden-ticket-attacks-in-kerberos-logs
threat hunting · low
detecting-insider-threat-behaviors
threat hunting · low
detecting-kerberoasting-attacks
threat hunting · low
detecting-lateral-movement-with-splunk
threat hunting · low
detecting-malicious-scheduled-tasks-with-sysmon
threat hunting · low
detecting-mimikatz-execution-patterns
threat hunting · low
detecting-ntlm-relay-with-event-correlation
threat hunting · low
detecting-pass-the-hash-attacks
threat hunting · low
detecting-privilege-escalation-attempts
threat hunting · low
detecting-privilege-escalation-in-kubernetes-pods
container security · low
detecting-process-hollowing-technique
threat hunting · low
detecting-process-injection-techniques
malware analysis · medium
detecting-rootkit-activity
malware analysis · medium
detecting-service-account-abuse
threat hunting · low
detecting-suspicious-powershell-execution
threat hunting · low
detecting-t1003-credential-dumping-with-edr
threat hunting · low
detecting-t1055-process-injection-with-sysmon
threat hunting · low
detecting-t1548-abuse-elevation-control-mechanism
threat hunting · low
detecting-wmi-persistence
threat hunting · low
executing-active-directory-attack-simulation
penetration testing · medium
executing-phishing-simulation-campaign
penetration testing · medium
executing-red-team-engagement-planning
red teaming · high
executing-red-team-exercise
penetration testing · medium
exploiting-active-directory-certificate-services-esc1
red teaming · high
exploiting-active-directory-with-bloodhound
red teaming · high
exploiting-constrained-delegation-abuse
red teaming · high
exploiting-kerberoasting-with-impacket
red teaming · high
exploiting-ms17-010-eternalblue-vulnerability
red teaming · high
exploiting-nopac-cve-2021-42278-42287
red teaming · high
exploiting-sql-injection-vulnerabilities
penetration testing · medium
exploiting-zerologon-vulnerability-cve-2020-1472
red teaming · high
extracting-browser-history-artifacts
digital forensics · low
extracting-config-from-agent-tesla-rat
malware analysis · medium
extracting-credentials-from-memory-dump
digital forensics · low
extracting-iocs-from-malware-samples
malware analysis · medium
extracting-windows-event-logs-artifacts
digital forensics · low
hardening-docker-containers-for-production
container security · low
hardening-docker-daemon-configuration
container security · low
hardening-linux-endpoint-with-cis-benchmark
endpoint security · low
hardening-windows-endpoint-with-cis-benchmark
endpoint security · low
hunting-for-anomalous-powershell-execution
threat hunting · low
hunting-for-beaconing-with-frequency-analysis
threat hunting · low
hunting-for-cobalt-strike-beacons
threat hunting · low
hunting-for-command-and-control-beaconing
threat hunting · low
hunting-for-data-exfiltration-indicators
threat hunting · low
hunting-for-data-staging-before-exfiltration
threat hunting · low
hunting-for-dcom-lateral-movement
threat hunting · low
hunting-for-dcsync-attacks
threat hunting · low
hunting-for-defense-evasion-via-timestomping
threat hunting · low
hunting-for-dns-based-persistence
threat hunting · low
hunting-for-dns-tunneling-with-zeek
threat hunting · low
hunting-for-domain-fronting-c2-traffic
threat hunting · low
hunting-for-lateral-movement-via-wmi
threat hunting · low
hunting-for-living-off-the-cloud-techniques
threat hunting · low
hunting-for-living-off-the-land-binaries
threat hunting · low
hunting-for-lolbins-execution-in-endpoint-logs
threat hunting · low
hunting-for-ntlm-relay-attacks
threat hunting · low
hunting-for-persistence-mechanisms-in-windows
threat hunting · low
hunting-for-persistence-via-wmi-subscriptions
threat hunting · low
hunting-for-process-injection-techniques
threat hunting · low
hunting-for-registry-persistence-mechanisms
threat hunting · low
hunting-for-registry-run-key-persistence
threat hunting · low
hunting-for-scheduled-task-persistence
threat hunting · low
hunting-for-shadow-copy-deletion
threat hunting · low
hunting-for-spearphishing-indicators
threat hunting · low
hunting-for-startup-folder-persistence
threat hunting · low
hunting-for-supply-chain-compromise
threat hunting · low
hunting-for-suspicious-scheduled-tasks
threat hunting · low
hunting-for-t1098-account-manipulation
threat hunting · low
hunting-for-unusual-network-connections
threat hunting · low
hunting-for-unusual-service-installations
threat hunting · low
hunting-for-webshell-activity
threat hunting · low
implementing-alert-fatigue-reduction
soc operations · low
implementing-application-whitelisting-with-applocker
endpoint security · low
implementing-container-image-minimal-base-with-distroless
container security · low
implementing-container-network-policies-with-calico
container security · low
implementing-disk-encryption-with-bitlocker
endpoint security · low
implementing-endpoint-dlp-controls
endpoint security · low
implementing-file-integrity-monitoring-with-aide
endpoint security · low
implementing-image-provenance-verification-with-cosign
container security · low
implementing-kubernetes-network-policy-with-calico
container security · low
implementing-kubernetes-pod-security-standards
container security · low
implementing-memory-protection-with-dep-aslr
endpoint security · low
implementing-mitre-attack-coverage-mapping
soc operations · low
implementing-network-policies-for-kubernetes
container security · low
implementing-opa-gatekeeper-for-policy-enforcement
container security · low
implementing-pod-security-admission-controller
container security · low
implementing-rbac-hardening-for-kubernetes
container security · low
implementing-runtime-security-with-tetragon
container security · low
implementing-siem-use-cases-for-detection
soc operations · low
implementing-soar-automation-with-phantom
soc operations · low
implementing-soar-playbook-with-palo-alto-xsoar
soc operations · low
implementing-supply-chain-security-with-in-toto
container security · low
implementing-threat-modeling-with-mitre-attack
soc operations · low
implementing-ticketing-system-for-incidents
soc operations · low
implementing-usb-device-control-policy
endpoint security · low
investigating-insider-threat-indicators
soc operations · low
investigating-phishing-email-incident
soc operations · low
investigating-ransomware-attack-artifacts
digital forensics · low
performing-active-directory-bloodhound-analysis
red teaming · high
performing-active-directory-penetration-test
penetration testing · medium
performing-alert-triage-with-elastic-siem
soc operations · low
performing-automated-malware-analysis-with-cape
malware analysis · medium
performing-cloud-forensics-investigation
digital forensics · low
performing-cloud-storage-forensic-acquisition
digital forensics · low
performing-container-escape-detection
container security · low
performing-container-security-scanning-with-trivy
container security · low
performing-credential-access-with-lazagne
red teaming · high
performing-deception-technology-deployment
soc operations · low
performing-docker-bench-security-assessment
container security · low
performing-dynamic-analysis-with-any-run
malware analysis · medium
performing-endpoint-forensics-investigation
endpoint security · low
performing-endpoint-vulnerability-remediation
endpoint security · low
performing-external-network-penetration-test
penetration testing · medium
performing-false-positive-reduction-in-siem
soc operations · low
performing-file-carving-with-foremost
digital forensics · low
performing-firmware-malware-analysis
malware analysis · medium
performing-initial-access-with-evilginx3
red teaming · high
performing-ioc-enrichment-automation
soc operations · low
performing-iot-security-assessment
penetration testing · medium
performing-kerberoasting-attack
red teaming · high
performing-kubernetes-cis-benchmark-with-kube-bench
container security · low
performing-kubernetes-etcd-security-assessment
container security · low
performing-kubernetes-penetration-testing
container security · low
performing-lateral-movement-detection
soc operations · low
performing-lateral-movement-with-wmiexec
red teaming · high
performing-linux-log-forensics-investigation
digital forensics · low
performing-log-analysis-for-forensic-investigation
digital forensics · low
performing-log-source-onboarding-in-siem
soc operations · low
performing-malware-persistence-investigation
digital forensics · low
performing-malware-triage-with-yara
malware analysis · medium
performing-memory-forensics-with-volatility3
digital forensics · low
performing-memory-forensics-with-volatility3-plugins
malware analysis · medium
performing-mobile-device-forensics-with-cellebrite
digital forensics · low
performing-network-forensics-with-wireshark
digital forensics · low
performing-network-packet-capture-analysis
digital forensics · low
performing-open-source-intelligence-gathering
red teaming · high
performing-physical-intrusion-assessment
red teaming · high
performing-privilege-escalation-assessment
penetration testing · medium
performing-privilege-escalation-on-linux
red teaming · high
performing-purple-team-exercise
soc operations · low
performing-soc-tabletop-exercise
soc operations · low
performing-sqlite-database-forensics
digital forensics · low
performing-static-malware-analysis-with-pe-studio
malware analysis · medium
performing-steganography-detection
digital forensics · low
performing-thick-client-application-penetration-test
penetration testing · medium
performing-threat-hunting-with-elastic-siem
soc operations · low
performing-threat-hunting-with-yara-rules
threat hunting · low
performing-timeline-reconstruction-with-plaso
digital forensics · low
performing-user-behavior-analytics
soc operations · low
performing-vulnerability-scanning-with-nessus
penetration testing · medium
performing-web-application-penetration-test
penetration testing · medium
performing-windows-artifact-analysis-with-eric-zimmerman-tools
digital forensics · low
performing-wireless-network-penetration-test
penetration testing · medium
performing-yara-rule-development-for-detection
malware analysis · medium
recovering-deleted-files-with-photorec
digital forensics · low
reverse-engineering-android-malware-with-jadx
malware analysis · medium
reverse-engineering-dotnet-malware-with-dnspy
malware analysis · medium
reverse-engineering-malware-with-ghidra
malware analysis · medium
reverse-engineering-ransomware-encryption-routine
malware analysis · medium
reverse-engineering-rust-malware
malware analysis · medium
scanning-container-images-with-grype
container security · low
scanning-docker-images-with-trivy
container security · low
scanning-kubernetes-manifests-with-kubesec
container security · low
securing-container-registry-with-harbor
container security · low
securing-helm-chart-deployments
container security · low
testing-for-xss-vulnerabilities
penetration testing · medium
triaging-security-alerts-in-splunk
soc operations · low
© 2026 Casky.AI, Inc. · AI Security Investigation