CVE-2026-25740

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-25740
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25740.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-25740
Aliases
  • GHSA-wc3r-c66x-8xmc
Published
2026-02-09T20:17:16.777Z
Modified
2026-04-10T05:40:44.811226Z
Severity
  • 5.8 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Privilege escalation to the `CAP_NET_RAW` capability via the `programs.captive-browser` NixOS module
Details

captive browser, a dedicated Chrome instance to log into captive portals without messing with DNS settings. In 25.05 and earlier, when programs.captive-browser is enabled, any user of the system can run arbitrary commands with the CAPNETRAW capability (binding to privileged ports, spoofing localhost traffic from privileged services...). This vulnerability is fixed in 25.11 and 26.05.

Database specific 
{
    "cwe_ids": [
        "CWE-250"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25740.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/nixos/nixpkgs

Affected ranges

Type
GIT
Repo
https://github.com/nixos/nixpkgs
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
c46290747b2aaf090f48a478270feb858837bf11
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "25.05"
        }
    ]
}

Affected versions

0.*
0.1
0.13
0.14
0.2
0.3
0.4
15.*
15.09-beta
18.*
18.03-beta
18.09-beta
21.*
21.11-pre
23.*
23.05-pre
23.11-beta
23.11-pre
24.*
24.05-pre
24.11-pre
25.*
25.05-pre
Other
v192
v206
v208

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25740.json"