Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local-only via world-readable /dev/dsp requiring a local account (AV:L, PR:L); deterministic mmap overflow gives AC:L; arbitrary kernel read/write yields full C:H/I:H/A:H on the same system (S:U).
Primary rating from Vendor (freebsd).
CVSS VectorVendor: freebsd
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
dsp_mmap_single() validated the requested mapping by checking the sum of the user-supplied offset and length against the buffer size. This addition could overflow, so that a large offset and length wrapped around and passed the check. The offset was then narrowed from 64 to 32 bits when converted to a buffer address, yielding a mapping that extended past the audio buffer into unrelated kernel memory.
The /dev/dsp device nodes are world-accessible by default. On a system with an audio device, either issue allows an unprivileged local user to read and write kernel memory, which can be used to escalate privileges, potentially gaining full control of the affected system. At a minimum, an attacker can crash the kernel, resulting in a Denial of Service (DoS).
AnalysisAI
Local privilege escalation in the FreeBSD kernel sound subsystem lets an unprivileged user map kernel memory outside the audio buffer via an integer-overflow flaw in dsp_mmap_single(). Because /dev/dsp device nodes are world-accessible by default, any local user on a system with an audio device can read and write arbitrary kernel memory, enabling full system compromise or a kernel panic (DoS). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local access via an unprivileged user account on a FreeBSD host (14.3, 14.4, or 15.0 prior to the patched levels) that has an audio device, with the snd_* sound drivers loaded so that /dev/dsp device nodes exist. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are internally consistent and point to a serious-but-locally-scoped issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with an unprivileged shell account on a multi-user FreeBSD desktop or jail host that has a sound card opens the world-readable /dev/dsp node and issues an mmap() with a crafted large offset and length that overflows the bounds check. The resulting mapping lands in kernel memory, which the attacker reads to leak secrets (kernel pointers, credentials) and writes to overwrite a privileged structure, escalating to root; alternatively a malformed mapping simply panics the kernel for denial of service. … |
| Remediation | Apply the FreeBSD errata patches: upgrade to 14.4-RELEASE-p6, 14.3-RELEASE-p15, or 15.0-RELEASE-p10 (Vendor-released patch per FreeBSD-SA-26:27.sound) using freebsd-update or by rebuilding the kernel from the patched source branch, then reboot so the corrected kernel takes effect. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory FreeBSD systems with audio devices and assess business criticality; restrict /dev/dsp device access (chmod 600 or equivalent ACL) on non-critical systems pending patching. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement mess
Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to
Remote code execution in FreeBSD kernel's RPCSEC_GSS implementation (kgssapi.ko) and userspace RPC servers (librpcgss_se
Local privilege escalation in FreeBSD's libcasper(3) library affects FreeBSD 14.3, 14.4, and 15.0 releases prior to spec
By default, jailed processes cannot mount filesystems, including nullfs(4). However, the allow.mount.nullfs option enabl
Local privilege escalation in FreeBSD via the ptrace(PT_SC_REMOTE) interface allows an unprivileged user with debug acce
Local privilege escalation in FreeBSD 13.5 through 15.0 allows unprivileged processes to gain root privileges by exploit
Heap buffer overflow in FreeBSD dhclient enables potential remote code execution when processing maliciously crafted DHC
Heap buffer overflow in FreeBSD's libnv library allows remote unauthenticated attackers to achieve privilege escalation
Remote code execution as root in FreeBSD dhclient allows malicious DHCP servers to inject arbitrary commands via unsanit
Local privilege escalation in the FreeBSD kernel's vt(4) console driver stems from an integer overflow in the CONS_HISTO
Local ASLR bypass in the FreeBSD ELF image activator (kernel) lets an unprivileged user neutralize address-space layout
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39962