Description
Second, the audio buffer backing a mapping could be freed when the device was closed even though the mapping remained valid. The freed memory could then be reused elsewhere while still accessible through the stale mapping.

The /dev/dsp device nodes are world-accessible by default. On a system with an audio device, either issue allows an unprivileged local user to read and write kernel memory, which can be used to escalate privileges, potentially gaining full control of the affected system. At a minimum, an attacker can crash the kernel, resulting in a Denial of Service (DoS).
Published: 2026-06-27
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unprivileged user who can create a mapping to the /dev/dsp device can exploit a use‑after‑free flaw in the sound(4) mmap path. The sound driver frees the audio buffer when the device is closed, yet the memory mapping created earlier remains valid. The attacker can read and write the freed kernel memory through this stale mapping, enabling arbitrary kernel memory manipulation. This capability can be abused to gain elevated privileges or to crash the kernel, leading to a denial‑of‑service. The underlying weakness is categorised as CWE‑416: Use After Free.

Affected Systems

All FreeBSD installations running the standard sound subsystem that expose the /dev/dsp device with the default world‑writable permissions are affected. The vulnerability applies to any system that implements the sound(4) mmap interface and uses the /dev/dsp character device.

Risk and Exploitability

The CVE record does not provide a CVSS score or EPSS estimate, so the numeric severity cannot be stated. However, because the flaw allows direct access to kernel memory from any user on the host, the risk is high. An attacker with local user access can read or corrupt kernel data, elevate to root, or crash the system. No publicly available checklists or exploits are listed in CISA KEV, but the fundamental nature of the vulnerability implies a high likelihood of exploitation in a controlled local environment.

Generated by OpenCVE AI on June 27, 2026 at 10:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest FreeBSD security update that addresses the sound(4) mmap use‑after‑free flaw.
  • If an update is not yet available, change the permissions of /dev/dsp to restrict access to privileged users only (for example, chmod 600 /dev/dsp and add a dedicated group for audio devices).
  • If the sound subsystem is not required, disable it or remove the sound(4) module to eliminate the attack surface.

Generated by OpenCVE AI on June 27, 2026 at 10:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 27 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description Second, the audio buffer backing a mapping could be freed when the device was closed even though the mapping remained valid. The freed memory could then be reused elsewhere while still accessible through the stale mapping. The /dev/dsp device nodes are world-accessible by default. On a system with an audio device, either issue allows an unprivileged local user to read and write kernel memory, which can be used to escalate privileges, potentially gaining full control of the affected system. At a minimum, an attacker can crash the kernel, resulting in a Denial of Service (DoS).
Title Multiple vulnerabilities in the sound(4) mmap path
Weaknesses CWE-416
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: freebsd

Published:

Updated: 2026-06-27T08:48:30.991Z

Reserved: 2026-05-29T20:24:28.615Z

Link: CVE-2026-49417

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-27T10:30:14Z

Weaknesses