Impact
An unprivileged user who can create a mapping to the /dev/dsp device can exploit a use‑after‑free flaw in the sound(4) mmap path. The sound driver frees the audio buffer when the device is closed, yet the memory mapping created earlier remains valid. The attacker can read and write the freed kernel memory through this stale mapping, enabling arbitrary kernel memory manipulation. This capability can be abused to gain elevated privileges or to crash the kernel, leading to a denial‑of‑service. The underlying weakness is categorised as CWE‑416: Use After Free.
Affected Systems
All FreeBSD installations running the standard sound subsystem that expose the /dev/dsp device with the default world‑writable permissions are affected. The vulnerability applies to any system that implements the sound(4) mmap interface and uses the /dev/dsp character device.
Risk and Exploitability
The CVSS score is 7, indicating high severity. The EPSS score is less than 1%, suggesting a low probability of exploitation in the wild, but the vulnerability still allows local users with access to the /dev/dsp device to manipulate kernel memory, potentially creating a privilege escalation or causing a kernel crash. The flaw is not listed in the CISA KEV catalog, however the accessibility of the device node and the nature of the use‑after‑free make it dangerous in a local environment.
OpenCVE Enrichment