Skip to main content

FreeBSD CVE-2026-45258

| EUVDEUVD-2026-39962 HIGH
Out-of-bounds Read (CWE-125)
2026-06-27 freebsd
7.8
CVSS 3.1 · Vendor: freebsd
Share

Severity by source

Vendor (freebsd) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local-only via world-readable /dev/dsp requiring a local account (AV:L, PR:L); deterministic mmap overflow gives AC:L; arbitrary kernel read/write yields full C:H/I:H/A:H on the same system (S:U).

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (freebsd).

CVSS VectorVendor: freebsd

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 29, 2026 - 14:26 vuln.today
CVSS changed
Jun 29, 2026 - 14:22 NVD
7.8 (HIGH)
CVE Published
Jun 27, 2026 - 08:50 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

dsp_mmap_single() validated the requested mapping by checking the sum of the user-supplied offset and length against the buffer size. This addition could overflow, so that a large offset and length wrapped around and passed the check. The offset was then narrowed from 64 to 32 bits when converted to a buffer address, yielding a mapping that extended past the audio buffer into unrelated kernel memory.

The /dev/dsp device nodes are world-accessible by default. On a system with an audio device, either issue allows an unprivileged local user to read and write kernel memory, which can be used to escalate privileges, potentially gaining full control of the affected system. At a minimum, an attacker can crash the kernel, resulting in a Denial of Service (DoS).

AnalysisAI

Local privilege escalation in the FreeBSD kernel sound subsystem lets an unprivileged user map kernel memory outside the audio buffer via an integer-overflow flaw in dsp_mmap_single(). Because /dev/dsp device nodes are world-accessible by default, any local user on a system with an audio device can read and write arbitrary kernel memory, enabling full system compromise or a kernel panic (DoS). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain unprivileged local account
Delivery
Open world-readable /dev/dsp
Exploit
mmap with overflowing offset+length
Install
Bypass bounds check via integer overflow
C2
Map kernel memory past audio buffer
Execute
Read/write kernel memory
Impact
Escalate to root or panic kernel

Vulnerability AssessmentAI

Exploitation Exploitation requires local access via an unprivileged user account on a FreeBSD host (14.3, 14.4, or 15.0 prior to the patched levels) that has an audio device, with the snd_* sound drivers loaded so that /dev/dsp device nodes exist. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are internally consistent and point to a serious-but-locally-scoped issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with an unprivileged shell account on a multi-user FreeBSD desktop or jail host that has a sound card opens the world-readable /dev/dsp node and issues an mmap() with a crafted large offset and length that overflows the bounds check. The resulting mapping lands in kernel memory, which the attacker reads to leak secrets (kernel pointers, credentials) and writes to overwrite a privileged structure, escalating to root; alternatively a malformed mapping simply panics the kernel for denial of service. …
Remediation Apply the FreeBSD errata patches: upgrade to 14.4-RELEASE-p6, 14.3-RELEASE-p15, or 15.0-RELEASE-p10 (Vendor-released patch per FreeBSD-SA-26:27.sound) using freebsd-update or by rebuilding the kernel from the patched source branch, then reboot so the corrected kernel takes effect. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory FreeBSD systems with audio devices and assess business criticality; restrict /dev/dsp device access (chmod 600 or equivalent ACL) on non-critical systems pending patching. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-14558 HIGH POC
7.2 Mar 09

The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement mess

CVE-2024-6387 HIGH POC
8.1 Jul 01

Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to

CVE-2026-4747 HIGH POC
8.8 Mar 26

Remote code execution in FreeBSD kernel's RPCSEC_GSS implementation (kgssapi.ko) and userspace RPC servers (librpcgss_se

CVE-2026-39461 HIGH
8.8 May 21

Local privilege escalation in FreeBSD's libcasper(3) library affects FreeBSD 14.3, 14.4, and 15.0 releases prior to spec

CVE-2025-15547 HIGH
8.8 Mar 09

By default, jailed processes cannot mount filesystems, including nullfs(4). However, the allow.mount.nullfs option enabl

CVE-2026-45253 HIGH
8.4 May 21

Local privilege escalation in FreeBSD via the ptrace(PT_SC_REMOTE) interface allows an unprivileged user with debug acce

CVE-2026-5398 HIGH
8.4 Apr 22

Local privilege escalation in FreeBSD 13.5 through 15.0 allows unprivileged processes to gain root privileges by exploit

CVE-2026-42512 HIGH
8.1 Apr 30

Heap buffer overflow in FreeBSD dhclient enables potential remote code execution when processing maliciously crafted DHC

CVE-2026-35547 HIGH
8.1 Apr 30

Heap buffer overflow in FreeBSD's libnv library allows remote unauthenticated attackers to achieve privilege escalation

CVE-2026-42511 HIGH
8.1 Apr 30

Remote code execution as root in FreeBSD dhclient allows malicious DHCP servers to inject arbitrary commands via unsanit

CVE-2026-49416 HIGH
7.8 Jun 27

Local privilege escalation in the FreeBSD kernel's vt(4) console driver stems from an integer overflow in the CONS_HISTO

CVE-2026-49414 HIGH
7.8 Jun 27

Local ASLR bypass in the FreeBSD ELF image activator (kernel) lets an unprivileged user neutralize address-space layout

Share

CVE-2026-45258 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy