CVE-2026-14330
Received Received - Intake

Memory Corruption in PulseAudio Protocol Server

Vulnerability report for CVE-2026-14330, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: Red Hat, Inc.

Description

Multiple unbounded alloca() calls in the PulseAudio protocol server.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
pipewire pipewire *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability involves multiple unbounded alloca() calls in the PulseAudio protocol server component of PipeWire. Specifically, several functions allocate arrays on the stack using alloca() based on counts derived from card parameters or client properties without proper bounds checking.

A malicious PulseAudio client can exploit this flaw by sending requests with extremely large parameter counts, causing the server to allocate excessive stack memory.

This leads to stack exhaustion and ultimately crashes the PipeWire daemon, affecting the stability and security of the system.

Impact Analysis

The vulnerability can impact you by causing the PipeWire daemon to crash due to stack exhaustion triggered by malicious requests.

This crash can disrupt audio services relying on PipeWire, leading to denial of service conditions.

While it does not directly compromise confidentiality or integrity, the availability impact can affect system stability and user experience.

Detection Guidance

This vulnerability involves the PulseAudio protocol server component of PipeWire being susceptible to stack exhaustion due to unbounded alloca() calls triggered by malicious client requests with large parameter counts.

Detection could involve monitoring the PipeWire daemon for crashes or abnormal behavior, especially after receiving requests from PulseAudio clients.

Specific commands to detect exploitation attempts are not provided in the available resources.

Mitigation Strategies

The resource does not provide explicit mitigation steps.

General immediate steps would include limiting or blocking untrusted PulseAudio client connections to the PipeWire PulseAudio server and monitoring for PipeWire daemon crashes.

Applying any available patches or updates from the PipeWire maintainers or your distribution is recommended once they are released.

Compliance Impact

The vulnerability involves unbounded alloca() calls that can lead to stack exhaustion and crashing of the PipeWire daemon, affecting system stability and security.

However, there is no information provided about any direct impact on data confidentiality, integrity, or availability that would relate to compliance with standards such as GDPR or HIPAA.

Therefore, based on the available information, it is unclear how this vulnerability specifically affects compliance with common regulatory standards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14330. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart