Impact
The vulnerability originates from multiple unbounded alloca() calls within the PulseAudio protocol server. These unchecked allocations can grow the stack without limit, leading to a stack overflow and causing the server process to crash. When the server terminates, PulseAudio functionality is lost, resulting in a denial of service condition for users relying on PulseAudio.
Affected Systems
The affected platforms are Red Hat Enterprise Linux 8, 9, and 10. Any installation that includes the bundled PulseAudio protocol server is potentially impacted, regardless of the specific minor release level.
Risk and Exploitability
The CVSS score of 5.5 reflects moderate severity; the EPSS score is not available and the flaw is not listed in the CISA KEV catalog. The likely attack vector is local access to the machine running the PulseAudio server, given that the protocol is designed for local inter-process communication. Based on the description, it is inferred that an attacker with local or elevated privileges could trigger an allocation request that exceeds the stack, prompting a crash and a denial of service for all applications depending on the server.
OpenCVE Enrichment