The sound(4) mmap path in FreeBSD validated the user‑supplied mapping length and offset by adding them together and comparing the sum to the buffer size. This addition could overflow so that a large offset and length wrapped around and passed the check. The offset was then narrowed from 64 to 32 bits before converting it to a buffer address, resulting in a mapping that extended past the intended audio buffer into unrelated kernel memory. Because the /dev/dsp device nodes are world‑accessible by default, an unprivileged local user can map and manipulate kernel memory, giving the attacker the ability to elevate privileges to root or crash the kernel, causing a denial of service.

The vulnerability affects the FreeBSD operating system sound subsystem. No specific version numbers are listed in the advisory, but any installation that enables the /dev/dsp device on a vulnerable FreeBSD build is exposed.

The CVE is not listed in the CISA KEV catalog and no EPSS score is available, yet the impact is severe because the flaw enables local privilege escalation and potential full system compromise. The attack vector is local: the attacker must be able to open the world‑accessible /dev/dsp device, which gives immediate read/write access to kernel memory. The lack of public exploitation evidence does not diminish the risk, as any privileged user can leverage the flaw to gain root access or perform a DoS.