CVE-2026-45258

dsp_mmap_single() validated the requested mapping by checking the sum of the user-supplied offset and length against the buffer size. This addition could overflow, so that a large offset and length wrapped around and passed the check. The offset was then narrowed from 64 to 32 bits when converted to a buffer address, yielding a mapping that extended past the audio buffer into unrelated kernel memory. The /dev/dsp device nodes are world-accessible by default. On a system with an audio device, either issue allows an unprivileged local user to read and write kernel memory, which can be used to escalate privileges, potentially gaining full control of the affected system. At a minimum, an attacker can crash the kernel, resulting in a Denial of Service (DoS).

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://security.freebsd.org/advisories/FreeBSD-SA-26:27.sound.asc

Configurations

No configuration.

History

29 Jun 2026, 14:16

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.8

27 Jun 2026, 09:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-06-27 09:16

Updated : 2026-06-30 05:19

NVD link : CVE-2026-45258

Mitre link : CVE-2026-45258

CVE.ORG link : CVE-2026-45258

JSON object : View

Products Affected

No product.

CWE

CWE-125

Out-of-bounds Read

CWE-190

Integer Overflow or Wraparound

CWE-681

Incorrect Conversion between Numeric Types

CWE-787

Out-of-bounds Write

{"id": "CVE-2026-45258", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-45258", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "no"}, {"technicalImpact": "total"}], "version": "2.0.3", "timestamp": "2026-06-29T00:00:00+00:00"}}], "cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "affected": [{"source": "secteam@freebsd.org", "affectedData": [{"vendor": "FreeBSD", "modules": ["sound"], "product": "FreeBSD", "versions": [{"status": "affected", "version": "15.0-RELEASE", "lessThan": "p10", "versionType": "release"}, {"status": "affected", "version": "14.4-RELEASE", "lessThan": "p6", "versionType": "release"}, {"status": "affected", "version": "14.3-RELEASE", "lessThan": "p15", "versionType": "release"}], "defaultStatus": "unknown"}]}], "published": "2026-06-27T09:16:22.847", "references": [{"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:27.sound.asc", "source": "secteam@freebsd.org"}], "vulnStatus": "Undergoing Analysis", "weaknesses": [{"type": "Secondary", "source": "secteam@freebsd.org", "description": [{"lang": "en", "value": "CWE-125"}, {"lang": "en", "value": "CWE-190"}, {"lang": "en", "value": "CWE-681"}, {"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "dsp_mmap_single() validated the requested mapping by checking the sum of the user-supplied offset and length against the buffer size. This addition could overflow, so that a large offset and length wrapped around and passed the check. The offset was then narrowed from 64 to 32 bits when converted to a buffer address, yielding a mapping that extended past the audio buffer into unrelated kernel memory.\n\nThe /dev/dsp device nodes are world-accessible by default. On a system with an audio device, either issue allows an unprivileged local user to read and write kernel memory, which can be used to escalate privileges, potentially gaining full control of the affected system. At a minimum, an attacker can crash the kernel, resulting in a Denial of Service (DoS)."}], "lastModified": "2026-06-30T05:19:24.010", "sourceIdentifier": "secteam@freebsd.org"}