{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25740", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-05T16:48:00.428Z", "datePublished": "2026-02-09T20:17:16.777Z", "dateUpdated": "2026-02-10T15:59:39.070Z"}, "containers": {"cna": {"title": "Privilege escalation to the `CAP_NET_RAW` capability via the `programs.captive-browser` NixOS module", "problemTypes": [{"descriptions": [{"cweId": "CWE-250", "lang": "en", "description": "CWE-250: Execution with Unnecessary Privileges", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/NixOS/nixpkgs/security/advisories/GHSA-wc3r-c66x-8xmc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/NixOS/nixpkgs/security/advisories/GHSA-wc3r-c66x-8xmc"}, {"name": "https://github.com/NixOS/nixpkgs/pull/487775", "tags": ["x_refsource_MISC"], "url": "https://github.com/NixOS/nixpkgs/pull/487775"}, {"name": "https://github.com/NixOS/nixpkgs/pull/487779", "tags": ["x_refsource_MISC"], "url": "https://github.com/NixOS/nixpkgs/pull/487779"}], "affected": [{"vendor": "NixOS", "product": "nixpkgs", "versions": [{"version": "<= 25.05", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-09T20:17:16.777Z"}, "descriptions": [{"lang": "en", "value": "captive browser, a dedicated Chrome instance to log into captive portals without messing with DNS settings. In 25.05 and earlier, when programs.captive-browser is enabled, any user of the system can run arbitrary commands with the CAP_NET_RAW capability (binding to privileged ports, spoofing localhost traffic from privileged services...). This vulnerability is fixed in 25.11 and 26.05."}], "source": {"advisory": "GHSA-wc3r-c66x-8xmc", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-10T15:30:17.008038Z", "id": "CVE-2026-25740", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T15:59:39.070Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25740", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-10T15:30:17.008038Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T15:30:17.720Z"}}], "cna": {"title": "Privilege escalation to the `CAP_NET_RAW` capability via the `programs.captive-browser` NixOS module", "source": {"advisory": "GHSA-wc3r-c66x-8xmc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.8, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "NixOS", "product": "nixpkgs", "versions": [{"status": "affected", "version": "<= 25.05"}]}], "references": [{"url": "https://github.com/NixOS/nixpkgs/security/advisories/GHSA-wc3r-c66x-8xmc", "name": "https://github.com/NixOS/nixpkgs/security/advisories/GHSA-wc3r-c66x-8xmc", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/NixOS/nixpkgs/pull/487775", "name": "https://github.com/NixOS/nixpkgs/pull/487775", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/NixOS/nixpkgs/pull/487779", "name": "https://github.com/NixOS/nixpkgs/pull/487779", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "captive browser, a dedicated Chrome instance to log into captive portals without messing with DNS settings. In 25.05 and earlier, when programs.captive-browser is enabled, any user of the system can run arbitrary commands with the CAP_NET_RAW capability (binding to privileged ports, spoofing localhost traffic from privileged services...). This vulnerability is fixed in 25.11 and 26.05."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-250", "description": "CWE-250: Execution with Unnecessary Privileges"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-09T20:17:16.777Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25740", "state": "PUBLISHED", "dateUpdated": "2026-02-10T15:59:39.070Z", "dateReserved": "2026-02-05T16:48:00.428Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-09T20:17:16.777Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "captive browser, a dedicated Chrome instance to log into captive portals without messing with DNS settings. In 25.05 and earlier, when programs.captive-browser is enabled, any user of the system can run arbitrary commands with the CAP_NET_RAW capability (binding to privileged ports, spoofing localhost traffic from privileged services...). This vulnerability is fixed in 25.11 and 26.05."}, {"lang": "es", "value": "navegador cautivo, una instancia dedicada de Chrome para iniciar sesi\u00f3n en portales cautivos sin alterar la configuraci\u00f3n de DNS. En 25.05 y anteriores, cuando programs.captive-browser est\u00e1 habilitado, cualquier usuario del sistema puede ejecutar comandos arbitrarios con la capacidad CAP_NET_RAW (enlazando a puertos privilegiados, suplantando tr\u00e1fico de localhost desde servicios privilegiados...). Esta vulnerabilidad est\u00e1 corregida en 25.11 y 26.05."}], "id": "CVE-2026-25740", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-09T21:15:49.163", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/NixOS/nixpkgs/pull/487775"}, {"source": "security-advisories@github.com", "url": "https://github.com/NixOS/nixpkgs/pull/487779"}, {"source": "security-advisories@github.com", "url": "https://github.com/NixOS/nixpkgs/security/advisories/GHSA-wc3r-c66x-8xmc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-250"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,25.05]"}}], "product": "captive-browser", "vendor": "nixos"}], "analysis": {"en": {"generated_at": "2026-04-17T21:14:33.155685+00:00", "value": {"mitigation_remediation": ["Upgrade to nixpkgs 25.11 or later (e.g., 26.05) where the vulnerability is patched", "If the captive browser feature is unnecessary, disable programs.captive-browser in the system configuration", "Ensure that only trusted users have shell access to run the captive\u2011browser module"], "summary": {"action": "Apply patch", "impact": "Privilege Escalation to CAP_NET_RAW capability"}, "threat_synthesis": {"affected_systems": "This issue affects NixOS installations using the nixpkgs 25.05 release or earlier that enable the programs.captive-browser module. It is fixed in nixpkgs 25.11 and 26.05.", "description_and_impact": "A user can trigger the programs.captive-browser module to run arbitrary commands with the CAP_NET_RAW capability, allowing binding to privileged ports and spoofing localhost traffic. The weakness stems from improper privilege assignment (CWE-250) and can compromise system networking functions if exploited. The impact is confined to the user\u2019s own session but grants elevated low\u2011level network control.", "risk_and_exploitability": "The CVSS score is 5.8 and the EPSS score is below 1%, indicating a moderate severity with low exploitation probability. The vulnerability is not listed in the KEV catalog. The likely attack vector is local, requiring an authenticated or otherwise logged\u2011in user to enable the module or execute commands within the system. No remote trigger is described, so a local privileged user can reach the CAP_NET_RAW capability through this path."}}}}, "created": "2026-02-10T15:37:25.942111+00:00", "updated": "2026-04-17T21:15:27.391156+00:00", "vendors": ["nixos", "nixos$PRODUCT$captive-browser"]}