CVE-2026-45258
Received Received - Intake

Buffer Overflow in FreeBSD /dev/dsp Kernel Memory Access

Publication date: 2026-06-27

Last updated on: 2026-06-27

Assigner: FreeBSD

Description
dsp_mmap_single() validated the requested mapping by checking the sum of the user-supplied offset and length against the buffer size. This addition could overflow, so that a large offset and length wrapped around and passed the check. The offset was then narrowed from 64 to 32 bits when converted to a buffer address, yielding a mapping that extended past the audio buffer into unrelated kernel memory. The /dev/dsp device nodes are world-accessible by default. On a system with an audio device, either issue allows an unprivileged local user to read and write kernel memory, which can be used to escalate privileges, potentially gaining full control of the affected system. At a minimum, an attacker can crash the kernel, resulting in a Denial of Service (DoS).

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-27
Last Modified
2026-06-27
Generated
2026-06-27
AI Q&A
2026-06-27
EPSS Evaluated
N/A
NVD
CVE-2026-45258
EUVD
EUVD-2026-39962

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
freebsd freebsd *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
CWE-681 When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur.
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

This vulnerability allows an unprivileged local user to read and write kernel memory, which can be exploited to escalate privileges and potentially gain full control of the affected system.

At a minimum, an attacker can cause the kernel to crash, resulting in a Denial of Service (DoS) condition.

Executive Summary

The vulnerability exists in the dsp_mmap_single() function, which validates a requested memory mapping by adding a user-supplied offset and length and comparing the sum against the buffer size. However, this addition can overflow, allowing a large offset and length to wrap around and incorrectly pass the validation check.

After this, the offset is narrowed from 64 bits to 32 bits when converted to a buffer address, which results in a mapping that extends beyond the intended audio buffer and into unrelated kernel memory.

Because the /dev/dsp device nodes are world-accessible by default on systems with an audio device, an unprivileged local user can exploit this flaw to read and write kernel memory.

Mitigation Strategies

The vulnerability involves the /dev/dsp device nodes which are world-accessible by default, allowing unprivileged local users to exploit the flaw. Immediate mitigation steps include restricting access to the /dev/dsp device nodes to trusted users only.

  • Change the permissions of /dev/dsp to limit access, for example using: chmod 660 /dev/dsp
  • Change the ownership of /dev/dsp to a specific group and add only trusted users to that group, for example: chown root:audio /dev/dsp and usermod -aG audio <trusted_user>
  • If possible, disable or unload the audio device driver temporarily until a patch or fix is applied.

These steps help prevent unprivileged users from accessing the vulnerable device and exploiting the kernel memory corruption.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45258. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart