Multiple vulnerabilities in the sound(4) mmap path
Summary
| CVE | CVE-2026-49417 |
|---|---|
| State | PUBLISHED |
| Assigner | freebsd |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-27 09:16:24 UTC |
| Updated | 2026-06-27 09:16:24 UTC |
| Description | Second, the audio buffer backing a mapping could be freed when the device was closed even though the mapping remained valid. The freed memory could then be reused elsewhere while still accessible through the stale mapping. The /dev/dsp device nodes are world-accessible by default. On a system with an audio device, either issue allows an unprivileged local user to read and write kernel memory, which can be used to escalate privileges, potentially gaining full control of the affected system. At a minimum, an attacker can crash the kernel, resulting in a Denial of Service (DoS). |
Risk And Classification
Problem Types: CWE-416 | CWE-416 CWE-416: Use After Free
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| security.freebsd.org/advisories/FreeBSD-SA-26:27.sound.asc | [email protected] | security.freebsd.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Lexpl0it, 75Acol, Liyw979, Rob1n (en)
There are currently no legacy QID mappings associated with this CVE.