Home / mailings FreeBSD Security Advisory FreeBSD-SA-26:27.sound
Posted on 10 June 2026
FreeBSD security notificat=============================================================================FreeBSD-SA-26:27.sound Security Advisory
The FreeBSD Project
Topic: Multiple vulnerabilities in the sound(4) mmap path
Category: core
Module: sound
Announced: 2026-06-09
Credits: Lexpl0it, 75Acol, ch0wn, zer0duck (CVE-2026-45258)
Credits: Emmanuel Genier from Quarkslab (CVE-2026-45258)
Credits: Hazley Samsudin of GovTech CSG (CVE-2026-45258)
Credits: Lexpl0it, 75Acol, Liyw979, Rob1n (CVE-2026-49417)
Affects: All supported versions of FreeBSD.
Corrected: 2026-06-09 19:17:31 UTC (stable/15, 15.1-STABLE)
2026-06-09 19:20:08 UTC (releng/15.1, 15.1-RC3-p1)
2026-06-09 19:19:45 UTC (releng/15.0, 15.0-RELEASE-p10)
2026-06-09 19:17:48 UTC (stable/14, 14.4-STABLE)
2026-06-09 19:19:07 UTC (releng/14.4, 14.4-RELEASE-p6)
2026-06-09 19:18:37 UTC (releng/14.3, 14.3-RELEASE-p15)
CVE Name: CVE-2026-45258, CVE-2026-49417
CVE-2026-45258 was independently reported by multiple parties prior to
publication.
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
FreeBSD provides audio support through the sound(4) driver, which presents
each audio device as a set of character device nodes such as /dev/dsp.
Applications can use mmap(2) on these devices to map a channel's audio
buffer directly into their address space.
II. Problem Description
The sound(4) driver contained two memory-safety errors in its mmap(2)
support.
First, dsp_mmap_single() validated the requested mapping by checking the
sum of the user-supplied offset and length against the buffer size. This
addition could overflow, so that a large offset and length wrapped around
and passed the check. The offset was then narrowed from 64 to 32 bits when
converted to a buffer address, yielding a mapping that extended past the
audio buffer into unrelated kernel memory. (CVE-2026-45258)
Second, the audio buffer backing a mapping could be freed when the device
was closed even though the mapping remained valid. The freed memory could
then be reused elsewhere while still accessible through the stale mapping.
(CVE-2026-49417)
III. Impact
The /dev/dsp device nodes are world-accessible by default. On a system
with an audio device, either issue allows an unprivileged local user to
read and write kernel memory, which can be used to escalate privileges,
potentially gaining full control of the affected system. At a minimum, an
attacker can crash the kernel, resulting in a Denial of Service (DoS).
IV. Workaround
No workaround is available. Systems with no sound devices are unaffected.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and reboot the system.
Perform one of the following:
1) To update your vulnerable system installed from base system packages:
Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64
platforms, which were installed using base system packages, can be updated
via the pkg(8) utility:
# pkg upgrade -r FreeBSD-base
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system installed from binary distribution sets:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms
which were not installed using base system packages can be updated via the
freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 15.1]
# fetch https://security.FreeBSD.org/patches/SA-26:27/sound-15.1.patch
# fetch https://security.FreeBSD.org/patches/SA-26:27/sound-15.1.patch.asc
# gpg --verify sound-15.1.patch.asc
[FreeBSD 15.0]
# fetch https://security.FreeBSD.org/patches/SA-26:27/sound-15.0.patch
# fetch https://security.FreeBSD.org/patches/SA-26:27/sound-15.0.patch.asc
# gpg --verify sound-15.0.patch.asc
[FreeBSD 14.4]
# fetch https://security.FreeBSD.org/patches/SA-26:27/sound-14.4.patch
# fetch https://security.FreeBSD.org/patches/SA-26:27/sound-14.4.patch.asc
# gpg --verify sound-14.4.patch.asc
[FreeBSD 14.3]
# fetch https://security.FreeBSD.org/patches/SA-26:27/sound-14.3.patch
# fetch https://security.FreeBSD.org/patches/SA-26:27/sound-14.3.patch.asc
# gpg --verify sound-14.3.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/15/ 7628e1ddfd52 stable/15-n283884
releng/15.1/ abc077216bac releng/15.1-n283552
releng/15.0/ bda153dc04b4 releng/15.0-n281054
stable/14/ f8f9050d61dd stable/14-n274313
releng/14.4/ 0e8cc8d8a49f releng/14.4-n273716
releng/14.3/ de5fd56985c3 releng/14.3-n271516
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat <commit hash>
Or visit the following URL, replacing NNNNNN with the hash:
<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
<URL:https://www.cve.org/CVERecord?id=CVE-2026-45258>
<URL:https://www.cve.org/CVERecord?id=CVE-2026-49417>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-26:27.sound.asc>
