Description
Multiple unbounded alloca() calls in the PulseAudio protocol server.
Published: 2026-07-01
Score: 5.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability originates from multiple unbounded alloca() calls within the PulseAudio protocol server. These unchecked allocations can grow the stack without limit, leading to a stack overflow and causing the server process to crash. When the server terminates, PulseAudio functionality is lost, resulting in a denial of service condition for users relying on PulseAudio.

Affected Systems

The affected platforms are Red Hat Enterprise Linux 8, 9, and 10. Any installation that includes the bundled PulseAudio protocol server is potentially impacted, regardless of the specific minor release level.

Risk and Exploitability

The CVSS score of 5.5 reflects moderate severity; the EPSS score is not available and the flaw is not listed in the CISA KEV catalog. The likely attack vector is local access to the machine running the PulseAudio server, given that the protocol is designed for local inter-process communication. Based on the description, it is inferred that an attacker with local or elevated privileges could trigger an allocation request that exceeds the stack, prompting a crash and a denial of service for all applications depending on the server.

Generated by OpenCVE AI on July 2, 2026 at 00:55 UTC.

Remediation

Vendor Workaround

No practical mitigation beyond upgrading. The PulseAudio protocol server is a core module required for PulseAudio application compatibility.


OpenCVE Recommended Actions

  • Apply the latest system updates that contain the patched PulseAudio package from Red Hat.
  • Restart the PulseAudio service so the updated binary is loaded.
  • Monitor the PulseAudio logs and resource usage to ensure that unbounded allocation attempts are no longer occurring.
  • Workaround: No practical mitigation beyond upgrading; the PulseAudio protocol server is a core module required for PulseAudio application compatibility.

Generated by OpenCVE AI on July 2, 2026 at 00:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Wed, 01 Jul 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Description Multiple unbounded alloca() calls in the PulseAudio protocol server.
Title Pipewire: pulse server alloca stack overflow
First Time appeared Redhat
Redhat enterprise Linux
Weaknesses CWE-770
CPEs cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}


Subscriptions

Redhat Enterprise Linux
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-07-01T15:37:41.482Z

Reserved: 2026-07-01T12:29:58.653Z

Link: CVE-2026-14330

cve-icon Vulnrichment

Updated: 2026-07-01T15:37:24.485Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-07-01T00:00:00Z

Links: CVE-2026-14330 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T01:00:12Z

Weaknesses
  • CWE-770

    Allocation of Resources Without Limits or Throttling