Description
Second, the audio buffer backing a mapping could be freed when the device was closed even though the mapping remained valid. The freed memory could then be reused elsewhere while still accessible through the stale mapping.

The /dev/dsp device nodes are world-accessible by default. On a system with an audio device, either issue allows an unprivileged local user to read and write kernel memory, which can be used to escalate privileges, potentially gaining full control of the affected system. At a minimum, an attacker can crash the kernel, resulting in a Denial of Service (DoS).
Published: 2026-06-27
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unprivileged user who can create a mapping to the /dev/dsp device can exploit a use‑after‑free flaw in the sound(4) mmap path. The sound driver frees the audio buffer when the device is closed, yet the memory mapping created earlier remains valid. The attacker can read and write the freed kernel memory through this stale mapping, enabling arbitrary kernel memory manipulation. This capability can be abused to gain elevated privileges or to crash the kernel, leading to a denial‑of‑service. The underlying weakness is categorised as CWE‑416: Use After Free.

Affected Systems

All FreeBSD installations running the standard sound subsystem that expose the /dev/dsp device with the default world‑writable permissions are affected. The vulnerability applies to any system that implements the sound(4) mmap interface and uses the /dev/dsp character device.

Risk and Exploitability

The CVSS score is 7, indicating high severity. The EPSS score is less than 1%, suggesting a low probability of exploitation in the wild, but the vulnerability still allows local users with access to the /dev/dsp device to manipulate kernel memory, potentially creating a privilege escalation or causing a kernel crash. The flaw is not listed in the CISA KEV catalog, however the accessibility of the device node and the nature of the use‑after‑free make it dangerous in a local environment.

Generated by OpenCVE AI on June 29, 2026 at 14:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest FreeBSD security update that addresses the sound(4) mmap use‑after‑free flaw.
  • If an update is not yet available, change the permissions of /dev/dsp to restrict access to privileged users only (for example, chmod 600 /dev/dsp and add a dedicated group for audio devices).
  • If the sound subsystem is not required, disable it or remove the sound(4) module to eliminate the attack surface.

Generated by OpenCVE AI on June 29, 2026 at 14:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Sat, 27 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Freebsd
Freebsd freebsd
Vendors & Products Freebsd
Freebsd freebsd

Sat, 27 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description Second, the audio buffer backing a mapping could be freed when the device was closed even though the mapping remained valid. The freed memory could then be reused elsewhere while still accessible through the stale mapping. The /dev/dsp device nodes are world-accessible by default. On a system with an audio device, either issue allows an unprivileged local user to read and write kernel memory, which can be used to escalate privileges, potentially gaining full control of the affected system. At a minimum, an attacker can crash the kernel, resulting in a Denial of Service (DoS).
Title Multiple vulnerabilities in the sound(4) mmap path
Weaknesses CWE-416
References

cve-icon MITRE

Status: PUBLISHED

Assigner: freebsd

Published:

Updated: 2026-06-30T03:55:26.483Z

Reserved: 2026-05-29T20:24:28.615Z

Link: CVE-2026-49417

cve-icon Vulnrichment

Updated: 2026-06-29T12:48:29.500Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T14:45:04Z

Weaknesses