From nobody Tue Jun 9 23:13:17 2026 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZl7x5k1Sz6gq5P for ; Tue, 09 Jun 2026 23:13:17 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZl7x1L6jz3P1Q; Tue, 09 Jun 2026 23:13:17 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046797; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=/xrqJjBwzZKo6uk2HN5I3zYauz/WFlGJC8NRs9pYiF4=; b=SF6qOpjyZvxYDdPe7oUHMx+uErlReGEIUE+Q04FfWOEdSjhOfZNP2/h/gT6Ve95gGyrw87 eREnB4fN+e/vaSFX4WdwxsHkw1Rfg7Gxwz/z+7cnuu3G8kGKMLYo+2SvvJAVdEyu/uaIOD aP5Kjl5AK2VE7NphJdorVv5jjOpGP993qABTB7c5qTTjNb+FeIiLe5J6sOWMexqEqEMQlz c/60yGRf8HTdaWdJQk93z+yTBq0fbOtHfQGfo8ZEKmDHHgj3PDzEx0cgIJYRLUNN57pn9T C0JIMNhPOcmP5M4Aboyq/FminLSOcH8I18lQf9cBy39HzQqzLLcz2WBCc8cn2A== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781046797; a=rsa-sha256; cv=none; b=pi44fBXatxbsd9mEFDXTiEURLtFzFh1HIO2AxEqp0tjcTMMEc05d65dydMaXQ+NHsKVKhj 5zHL4wtjBoiLcBK/b24UnybHQiKQCunDaYQbeA6M2eGj3p+MuCPkl76V9tVRs+uzR2ncbx BEAWqwhjwuMxn/V6Rmt1//fDU3So930Ra0jP3RsVtWyfTxF6h9j0BKdS1bQj128QtTA8v8 5MqxyC5ep958yapWiV32MJuaPEls2R/onYp+tCCTDR34O8pYv/Ekk3lzb81DEYucMVS06h 6eiC+e/IOjlgSzlwIDOxvVAyeM/XtZYpBv4UwbjIBDqvRtIakKN7p8yL+SEDFA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046797; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=/xrqJjBwzZKo6uk2HN5I3zYauz/WFlGJC8NRs9pYiF4=; b=F1+buWJ6YI4y4kpd1KnfB+NY4LsK3yxiiv6/fV9fLzcPG5aoUiH+AL/ShfKL7gdRQGaZoB 1TysAoSIARWCD51eZ5gVs5MKr3nB1MPH9tFn0+kd1nH5YYMcFzuxxkiSyK1oMwdd/DUwVc 6eo6ROFHnV/qzalesaKrAtyWjtcCic7kmbFHv4ed110dNGAORmwJLGd4iVZYRJYQ0q5a/2 XjEYKJ1Ac+SLExFRrhX0gPxa+p9daNFJeo12MpnU2IvMT5ZCMCKnatPJzRVlJKo/Skgzmn WWsRnpzZq9LKct71HG8G+cD8eaN+UQqFnTWL5Yrnd4bs9ki5d8BKoYgwqGAXaQ== Received: by freefall.freebsd.org (Postfix, from userid 945) id 105A41FBE4; Tue, 09 Jun 2026 23:13:17 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:27.sound Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260609231317.105A41FBE4@freefall.freebsd.org> Date: Tue, 09 Jun 2026 23:13:17 +0000 (UTC) List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security-notifications@freebsd.org Sender: owner-freebsd-security-notifications@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:27.sound Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities in the sound(4) mmap path Category: core Module: sound Announced: 2026-06-09 Credits: Lexpl0it, 75Acol, ch0wn, zer0duck (CVE-2026-45258) Credits: Emmanuel Genier from Quarkslab (CVE-2026-45258) Credits: Hazley Samsudin of GovTech CSG (CVE-2026-45258) Credits: Lexpl0it, 75Acol, Liyw979, Rob1n (CVE-2026-49417) Affects: All supported versions of FreeBSD. Corrected: 2026-06-09 19:17:31 UTC (stable/15, 15.1-STABLE) 2026-06-09 19:20:08 UTC (releng/15.1, 15.1-RC3-p1) 2026-06-09 19:19:45 UTC (releng/15.0, 15.0-RELEASE-p10) 2026-06-09 19:17:48 UTC (stable/14, 14.4-STABLE) 2026-06-09 19:19:07 UTC (releng/14.4, 14.4-RELEASE-p6) 2026-06-09 19:18:37 UTC (releng/14.3, 14.3-RELEASE-p15) CVE Name: CVE-2026-45258, CVE-2026-49417 CVE-2026-45258 was independently reported by multiple parties prior to publication. For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD provides audio support through the sound(4) driver, which presents each audio device as a set of character device nodes such as /dev/dsp. Applications can use mmap(2) on these devices to map a channel's audio buffer directly into their address space. II. Problem Description The sound(4) driver contained two memory-safety errors in its mmap(2) support. First, dsp_mmap_single() validated the requested mapping by checking the sum of the user-supplied offset and length against the buffer size. This addition could overflow, so that a large offset and length wrapped around and passed the check. The offset was then narrowed from 64 to 32 bits when converted to a buffer address, yielding a mapping that extended past the audio buffer into unrelated kernel memory. (CVE-2026-45258) Second, the audio buffer backing a mapping could be freed when the device was closed even though the mapping remained valid. The freed memory could then be reused elsewhere while still accessible through the stale mapping. (CVE-2026-49417) III. Impact The /dev/dsp device nodes are world-accessible by default. On a system with an audio device, either issue allows an unprivileged local user to read and write kernel memory, which can be used to escalate privileges, potentially gaining full control of the affected system. At a minimum, an attacker can crash the kernel, resulting in a Denial of Service (DoS). IV. Workaround No workaround is available. Systems with no sound devices are unaffected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 15.1] # fetch https://security.FreeBSD.org/patches/SA-26:27/sound-15.1.patch # fetch https://security.FreeBSD.org/patches/SA-26:27/sound-15.1.patch.asc # gpg --verify sound-15.1.patch.asc [FreeBSD 15.0] # fetch https://security.FreeBSD.org/patches/SA-26:27/sound-15.0.patch # fetch https://security.FreeBSD.org/patches/SA-26:27/sound-15.0.patch.asc # gpg --verify sound-15.0.patch.asc [FreeBSD 14.4] # fetch https://security.FreeBSD.org/patches/SA-26:27/sound-14.4.patch # fetch https://security.FreeBSD.org/patches/SA-26:27/sound-14.4.patch.asc # gpg --verify sound-14.4.patch.asc [FreeBSD 14.3] # fetch https://security.FreeBSD.org/patches/SA-26:27/sound-14.3.patch # fetch https://security.FreeBSD.org/patches/SA-26:27/sound-14.3.patch.asc # gpg --verify sound-14.3.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 7628e1ddfd52 stable/15-n283884 releng/15.1/ abc077216bac releng/15.1-n283552 releng/15.0/ bda153dc04b4 releng/15.0-n281054 stable/14/ f8f9050d61dd stable/14-n274313 releng/14.4/ 0e8cc8d8a49f releng/14.4-n273716 releng/14.3/ de5fd56985c3 releng/14.3-n271516 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmooiU8bFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvWEsP/0Ge9wC58QJLIkykVAHl hZoU1NU0DaY6L03B4dDiQkbX03CZK4taPmOE6Wp4AjxJztw0gF2SyWY1xHeUafPY NzNGJFhSA+Y6yGiBhffDtewUdfFnHg7JVvmU5KYj5xfKrxSksYOnv8KOuGeI1Vw0 A25TIrP5bKVFu45s2SCNrCHeXMl2Nm2ObMFdd0ZF04abcXyMQbSLlWDA15ZvtSXB e1nOKZTrfHFSGXIx83SqtkTMY0SRbNvGZk3uUAlIXeQR2q4kInyNy42R3j/av4fh 0Il0ZLapO6lTfJwwl9E+ZB4OpE3LJdMap1rrspGo/XMFZOACFCkyrBiKSQHkhkDU WAHtGNOvKXCll4O0LZfEjQkQnGsBhJtmhthF95O8cADXZG+G1crj3+IBL8TLRUWw QsH9dGrD4rNUWaAueztPUEza4zJdbTAgEfSHvauuAlq6LCmrjiyJFmNYvPsNlRGG JMJa5PKEgguR/8054XHlsN8GdxYup8b8bYp55KcTbAjfyj+HAQIJp17tpZKiJjR5 wfaMtkNhCgzM44oGaWbVpwOMeWB/YtrkR3h+ROzAwVallVBoIuUWzu4as3sSOB+a GSwkPy+lD5m2qojRtXuGw7bzvdu2fx6iEeMt1XogXbHxiNxi1tDg0QJDNaWTojk2 Nh8uk5rUl64eHOU4DH+ztFLl =eTyF -----END PGP SIGNATURE-----