From nobody Tue Jun 9 23:13:16 2026 X-Original-To: freebsd-announce@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZl7x5Gqxz6gqB6 for ; Tue, 09 Jun 2026 23:13:17 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZl7x1sRkz3Nks; Tue, 09 Jun 2026 23:13:17 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046797; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=/xrqJjBwzZKo6uk2HN5I3zYauz/WFlGJC8NRs9pYiF4=; b=cKBvNqHNbAolcPS+y3Jrp5DA8/DPPJCLeb2m4afG7tKDn9mfL4ky4p/oa9mGWFag7Lc2pQ xy9pjq8sranjnHxKJUKEE01bkMb0iTf72bAYXb9RrcsdOQKPPVggLK7wh1rq2Aly78zBhL fLBfhfZSHOsnp2NwP6BfzWNh/dXsor6nU1XJMhm2x/56e4F9gQGFKWPJ4mkD+rqT5ijRvd uf7F9OvcFOwzKGNlrpxCfJ4ftMhy8jT/ve6iMPKSpmLtXkvubXXIuADtXd/54p3xJOjaUX 8OyI4DkvA3qTmXtkOQt6N8fd9wVjjqv2tWXfALecuuOqRKO0GBFbYB0vdcKNBQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781046797; a=rsa-sha256; cv=none; b=YclHEUDL47FVHDdqPNaGyEThcTrAH5cIaXA/r+90ZRiRwK8lLN2QD1OzaOLvClQ25sf+Wy YisgoKvOiC5e/QCVo7m9kjqRcX6xQv0jpgJU/sGvm0IZGMEmKfDyf5FvWtNuMbTAzkVn3f Yg83hA+/D8Nad0Gk9u6iaKMs5HSeADoDcCaLAPpBnYRCk3VNdYrjAMowWMqsD5t6Vdd19y HOW5hX+OoTCs+sTCWW9GeB3qFap9zDjoC8K65SU01iy3AlwaBSPD6hxIM2JVPp/NQLWKq7 XBBx0cahkkoLFtvOEAP+07Yvpxk8WVBRZ+UzM+fgT27C1g1uxS2BDGCDySjCHg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046797; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=/xrqJjBwzZKo6uk2HN5I3zYauz/WFlGJC8NRs9pYiF4=; b=kKS8hwyi9y1RAYAfbHHK6nls9PQ4U653ILX/xiROnxH11bmAegr+TWnq46sYWCbuDFOKo6 ZlnLyJaIAPZnX1YkqCzEows9PoaP9V2aoTISMdpM+4RvdQKgdo0Pb05QBW6z2bpqCzyn6F p61ElxNbeeiNUPg/CF0katNJcMyhX+Fhjf3gC+PfpmPO035IjmznJQtV/m8WRr+axUWmBh sZ6YIqmCv+vN3dTIx5QB7Ecv52nSbrZRDbA16IBiDYmw38U1K56rTx9QXA5QUuM1zTrG9d 4QDE7YBTY0NVOmEXK6n6t7pCNTW4E4dihOPyYSBt4QHMDWX2eX0LqwtfVQ5+vA== Received: by freefall.freebsd.org (Postfix, from userid 945) id 02BD91FD22; Tue, 09 Jun 2026 23:13:16 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:27.sound Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260609231317.02BD91FD22@freefall.freebsd.org> Date: Tue, 09 Jun 2026 23:13:16 +0000 (UTC) List-Id: Project Announcements [moderated] List-Archive: https://lists.freebsd.org/archives/freebsd-announce List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-announce@freebsd.org Sender: owner-freebsd-announce@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:27.sound Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities in the sound(4) mmap path Category: core Module: sound Announced: 2026-06-09 Credits: Lexpl0it, 75Acol, ch0wn, zer0duck (CVE-2026-45258) Credits: Emmanuel Genier from Quarkslab (CVE-2026-45258) Credits: Hazley Samsudin of GovTech CSG (CVE-2026-45258) Credits: Lexpl0it, 75Acol, Liyw979, Rob1n (CVE-2026-49417) Affects: All supported versions of FreeBSD. Corrected: 2026-06-09 19:17:31 UTC (stable/15, 15.1-STABLE) 2026-06-09 19:20:08 UTC (releng/15.1, 15.1-RC3-p1) 2026-06-09 19:19:45 UTC (releng/15.0, 15.0-RELEASE-p10) 2026-06-09 19:17:48 UTC (stable/14, 14.4-STABLE) 2026-06-09 19:19:07 UTC (releng/14.4, 14.4-RELEASE-p6) 2026-06-09 19:18:37 UTC (releng/14.3, 14.3-RELEASE-p15) CVE Name: CVE-2026-45258, CVE-2026-49417 CVE-2026-45258 was independently reported by multiple parties prior to publication. For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD provides audio support through the sound(4) driver, which presents each audio device as a set of character device nodes such as /dev/dsp. Applications can use mmap(2) on these devices to map a channel's audio buffer directly into their address space. II. Problem Description The sound(4) driver contained two memory-safety errors in its mmap(2) support. First, dsp_mmap_single() validated the requested mapping by checking the sum of the user-supplied offset and length against the buffer size. This addition could overflow, so that a large offset and length wrapped around and passed the check. The offset was then narrowed from 64 to 32 bits when converted to a buffer address, yielding a mapping that extended past the audio buffer into unrelated kernel memory. (CVE-2026-45258) Second, the audio buffer backing a mapping could be freed when the device was closed even though the mapping remained valid. The freed memory could then be reused elsewhere while still accessible through the stale mapping. (CVE-2026-49417) III. Impact The /dev/dsp device nodes are world-accessible by default. On a system with an audio device, either issue allows an unprivileged local user to read and write kernel memory, which can be used to escalate privileges, potentially gaining full control of the affected system. At a minimum, an attacker can crash the kernel, resulting in a Denial of Service (DoS). IV. Workaround No workaround is available. Systems with no sound devices are unaffected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 15.1] # fetch https://security.FreeBSD.org/patches/SA-26:27/sound-15.1.patch # fetch https://security.FreeBSD.org/patches/SA-26:27/sound-15.1.patch.asc # gpg --verify sound-15.1.patch.asc [FreeBSD 15.0] # fetch https://security.FreeBSD.org/patches/SA-26:27/sound-15.0.patch # fetch https://security.FreeBSD.org/patches/SA-26:27/sound-15.0.patch.asc # gpg --verify sound-15.0.patch.asc [FreeBSD 14.4] # fetch https://security.FreeBSD.org/patches/SA-26:27/sound-14.4.patch # fetch https://security.FreeBSD.org/patches/SA-26:27/sound-14.4.patch.asc # gpg --verify sound-14.4.patch.asc [FreeBSD 14.3] # fetch https://security.FreeBSD.org/patches/SA-26:27/sound-14.3.patch # fetch https://security.FreeBSD.org/patches/SA-26:27/sound-14.3.patch.asc # gpg --verify sound-14.3.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 7628e1ddfd52 stable/15-n283884 releng/15.1/ abc077216bac releng/15.1-n283552 releng/15.0/ bda153dc04b4 releng/15.0-n281054 stable/14/ f8f9050d61dd stable/14-n274313 releng/14.4/ 0e8cc8d8a49f releng/14.4-n273716 releng/14.3/ de5fd56985c3 releng/14.3-n271516 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmooiU8bFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvWEsP/0Ge9wC58QJLIkykVAHl hZoU1NU0DaY6L03B4dDiQkbX03CZK4taPmOE6Wp4AjxJztw0gF2SyWY1xHeUafPY NzNGJFhSA+Y6yGiBhffDtewUdfFnHg7JVvmU5KYj5xfKrxSksYOnv8KOuGeI1Vw0 A25TIrP5bKVFu45s2SCNrCHeXMl2Nm2ObMFdd0ZF04abcXyMQbSLlWDA15ZvtSXB e1nOKZTrfHFSGXIx83SqtkTMY0SRbNvGZk3uUAlIXeQR2q4kInyNy42R3j/av4fh 0Il0ZLapO6lTfJwwl9E+ZB4OpE3LJdMap1rrspGo/XMFZOACFCkyrBiKSQHkhkDU WAHtGNOvKXCll4O0LZfEjQkQnGsBhJtmhthF95O8cADXZG+G1crj3+IBL8TLRUWw QsH9dGrD4rNUWaAueztPUEza4zJdbTAgEfSHvauuAlq6LCmrjiyJFmNYvPsNlRGG JMJa5PKEgguR/8054XHlsN8GdxYup8b8bYp55KcTbAjfyj+HAQIJp17tpZKiJjR5 wfaMtkNhCgzM44oGaWbVpwOMeWB/YtrkR3h+ROzAwVallVBoIuUWzu4as3sSOB+a GSwkPy+lD5m2qojRtXuGw7bzvdu2fx6iEeMt1XogXbHxiNxi1tDg0QJDNaWTojk2 Nh8uk5rUl64eHOU4DH+ztFLl =eTyF -----END PGP SIGNATURE-----