Impact
The sound(4) mmap path in FreeBSD validated the user‑supplied mapping length and offset by adding them together and comparing the sum to the buffer size. This addition could overflow so that a large offset and length wrapped around and passed the check. The offset was then narrowed from 64 to 32 bits before converting it to a buffer address, resulting in a mapping that extended past the intended audio buffer into unrelated kernel memory. Because the /dev/dsp device nodes are world‑accessible by default, an unprivileged local user can map and manipulate kernel memory, giving the attacker the ability to elevate privileges to root or crash the kernel, causing a denial of service.
Affected Systems
The vulnerability affects the FreeBSD operating system sound subsystem. No specific version numbers are listed in the advisory, but any installation that enables the /dev/dsp device on a vulnerable FreeBSD build is exposed.
Risk and Exploitability
The CVE is not listed in the CISA KEV catalog and has an EPSS score of < 1%. The CVSS score of 7.8 indicates a high severity. The attack vector is local: an unprivileged user must open the world‑accessible /dev/dsp device, giving read/write access to kernel memory. The lack of public exploitation evidence does not reduce the risk, as the flaw enables an attacker to gain full system control or crash the kernel, leading to denial of service.
OpenCVE Enrichment