Set limits for maximum volume and maximum volume increase to prevent malicious actors to cause physiological harm (ear damage)
With this command one can easily change the volume:
pactl set-sink-volume @DEFAULT_SINK@ +2%
The command works even if audio is currently playing, is applied immediately and does not require sudo.
The problem is that you can enter any value where it says 2%. This can cause physiological damage to humans. I'm surprised there aren't yet reports of people who got their ears damaged or even went deaf due to this.
This allows you to configure the volume to be at any level above 100%. On Debian11/KDE this is possible even if "Raise maximum volume" is not checked in the settings of KDE's plasma-pa
volume control applet (if it is checked, it only displays the maximum volume to be 150% but doesn't actually affect changes via this command).
Note that this command is fairly well known as it's often needed to change the volume via keyboard shortcuts or for example a mouse wheel.
Maybe it was better if this bug was only visible to developers (I'm okay with it getting hidden). I thought about asking about this on unix.stackexchange.com but this way more people may become aware of this physical vulnerability before a patch has been implemented. It would be best if this was solved on the operating system or kernel level, but pulseaudio should implement a security precaution even it gets implemented on that level.
Like with many other security vulnerabilities, you don't necessarily have to have physical access to another person's computer (or GNU/Linux phone) to exploit it. It's very rare for vulnerabilities to have the potential to directly, rather than indirectly, cause physiological damage. Not only that, it also puts many people at risk.
I intend to test this with a broken headphone later and see if it explodes, fries, caps the volume at a very high level, just stops working or none of these. I think this probably varies per value and headphone(!) but I'll update this issue once I tested it. This doesn't require people to use headphones to be a physically dangerous bug, in fact without headphones it could cause physical damage to even more people at once.
I probably can't overstate how important this vulnerability is: I think this is the one and only most severe known issue that GNU/Linux currently has. I think it's in a category of severity of its own in which only issues as severe as the recent Log4j security vulnerability are.
I think it's a necessity that this issue is solved before widespread adoption of GNU/Linux (I think I also had this as a "barriers to adoption" at the bottom of https://myndstream.github.io/Switch2Linux/dist/spa/index.html#/). While I'm all for a larger market share of desktop GNU/Linux and measures to increase adoption, even I could agree with this not being a good idea/goal if this issue remains unsolved. I'm slightly ashamed that the GNU/Linux community(ies) hasn't addressed and solved this yet. Maybe there are also other commands that can also raise the volume to very high levels (in cases where PulseAudio isn't used). It won't be fixed on the desktop environment / KDE level, I created an issue about it earlier here.
Due to the importance of this bug, I apologize for probably having phrased it suboptimally and for not filing it earlier.