-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-SA-26:27.sound                                      Security Advisory
                                                          The FreeBSD Project

Topic:          Multiple vulnerabilities in the sound(4) mmap path

Category:       core
Module:         sound
Announced:      2026-06-09
Credits:        Lexpl0it, 75Acol, ch0wn, zer0duck (CVE-2026-45258)
Credits:        Emmanuel Genier from Quarkslab (CVE-2026-45258)
Credits:        Hazley Samsudin of GovTech CSG (CVE-2026-45258)
Credits:        Lexpl0it, 75Acol, Liyw979, Rob1n (CVE-2026-49417)
Affects:        All supported versions of FreeBSD.
Corrected:      2026-06-09 19:17:31 UTC (stable/15, 15.1-STABLE)
                2026-06-09 19:20:08 UTC (releng/15.1, 15.1-RC3-p1)
                2026-06-09 19:19:45 UTC (releng/15.0, 15.0-RELEASE-p10)
                2026-06-09 19:17:48 UTC (stable/14, 14.4-STABLE)
                2026-06-09 19:19:07 UTC (releng/14.4, 14.4-RELEASE-p6)
                2026-06-09 19:18:37 UTC (releng/14.3, 14.3-RELEASE-p15)
CVE Name:       CVE-2026-45258, CVE-2026-49417

CVE-2026-45258 was independently reported by multiple parties prior to
publication.

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.

I.   Background

FreeBSD provides audio support through the sound(4) driver, which presents
each audio device as a set of character device nodes such as /dev/dsp.
Applications can use mmap(2) on these devices to map a channel's audio
buffer directly into their address space.

II.  Problem Description

The sound(4) driver contained two memory-safety errors in its mmap(2)
support.

First, dsp_mmap_single() validated the requested mapping by checking the
sum of the user-supplied offset and length against the buffer size.  This
addition could overflow, so that a large offset and length wrapped around
and passed the check.  The offset was then narrowed from 64 to 32 bits when
converted to a buffer address, yielding a mapping that extended past the
audio buffer into unrelated kernel memory.  (CVE-2026-45258)

Second, the audio buffer backing a mapping could be freed when the device
was closed even though the mapping remained valid.  The freed memory could
then be reused elsewhere while still accessible through the stale mapping.
(CVE-2026-49417)

III. Impact

The /dev/dsp device nodes are world-accessible by default.  On a system
with an audio device, either issue allows an unprivileged local user to
read and write kernel memory, which can be used to escalate privileges,
potentially gaining full control of the affected system.  At a minimum, an
attacker can crash the kernel, resulting in a Denial of Service (DoS).

IV.  Workaround

No workaround is available.  Systems with no sound devices are unaffected.

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and reboot the system.

Perform one of the following:

1) To update your vulnerable system installed from base system packages:

Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64
platforms, which were installed using base system packages, can be updated
via the pkg(8) utility:

# pkg upgrade -r FreeBSD-base
# shutdown -r +10min "Rebooting for a security update"

2) To update your vulnerable system installed from binary distribution sets:

Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms
which were not installed using base system packages can be updated via the
freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"

3) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 15.1]
# fetch https://security.FreeBSD.org/patches/SA-26:27/sound-15.1.patch
# fetch https://security.FreeBSD.org/patches/SA-26:27/sound-15.1.patch.asc
# gpg --verify sound-15.1.patch.asc

[FreeBSD 15.0]
# fetch https://security.FreeBSD.org/patches/SA-26:27/sound-15.0.patch
# fetch https://security.FreeBSD.org/patches/SA-26:27/sound-15.0.patch.asc
# gpg --verify sound-15.0.patch.asc

[FreeBSD 14.4]
# fetch https://security.FreeBSD.org/patches/SA-26:27/sound-14.4.patch
# fetch https://security.FreeBSD.org/patches/SA-26:27/sound-14.4.patch.asc
# gpg --verify sound-14.4.patch.asc

[FreeBSD 14.3]
# fetch https://security.FreeBSD.org/patches/SA-26:27/sound-14.3.patch
# fetch https://security.FreeBSD.org/patches/SA-26:27/sound-14.3.patch.asc
# gpg --verify sound-14.3.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:

Branch/path                             Hash                     Revision
- -------------------------------------------------------------------------
stable/15/                              7628e1ddfd52    stable/15-n283884
releng/15.1/                            abc077216bac  releng/15.1-n283552
releng/15.0/                            bda153dc04b4  releng/15.0-n281054
stable/14/                              f8f9050d61dd    stable/14-n274313
releng/14.4/                            0e8cc8d8a49f  releng/14.4-n273716
releng/14.3/                            de5fd56985c3  releng/14.3-n271516
- -------------------------------------------------------------------------

Run the following command to see which files were modified by a
particular commit:

# git show --stat <commit hash>

Or visit the following URL, replacing NNNNNN with the hash:

<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>

To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:

# git rev-list --count --first-parent HEAD

VII. References

<URL:https://www.cve.org/CVERecord?id=CVE-2026-45258>

<URL:https://www.cve.org/CVERecord?id=CVE-2026-49417>

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-26:27.sound.asc>
-----BEGIN PGP SIGNATURE-----

iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmooiU8bFIAAAAAABAAO
bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvWEsP/0Ge9wC58QJLIkykVAHl
hZoU1NU0DaY6L03B4dDiQkbX03CZK4taPmOE6Wp4AjxJztw0gF2SyWY1xHeUafPY
NzNGJFhSA+Y6yGiBhffDtewUdfFnHg7JVvmU5KYj5xfKrxSksYOnv8KOuGeI1Vw0
A25TIrP5bKVFu45s2SCNrCHeXMl2Nm2ObMFdd0ZF04abcXyMQbSLlWDA15ZvtSXB
e1nOKZTrfHFSGXIx83SqtkTMY0SRbNvGZk3uUAlIXeQR2q4kInyNy42R3j/av4fh
0Il0ZLapO6lTfJwwl9E+ZB4OpE3LJdMap1rrspGo/XMFZOACFCkyrBiKSQHkhkDU
WAHtGNOvKXCll4O0LZfEjQkQnGsBhJtmhthF95O8cADXZG+G1crj3+IBL8TLRUWw
QsH9dGrD4rNUWaAueztPUEza4zJdbTAgEfSHvauuAlq6LCmrjiyJFmNYvPsNlRGG
JMJa5PKEgguR/8054XHlsN8GdxYup8b8bYp55KcTbAjfyj+HAQIJp17tpZKiJjR5
wfaMtkNhCgzM44oGaWbVpwOMeWB/YtrkR3h+ROzAwVallVBoIuUWzu4as3sSOB+a
GSwkPy+lD5m2qojRtXuGw7bzvdu2fx6iEeMt1XogXbHxiNxi1tDg0QJDNaWTojk2
Nh8uk5rUl64eHOU4DH+ztFLl
=eTyF
-----END PGP SIGNATURE-----