CVE-2026-45254
cap_net Service Missing Key Rejection Leading to Permission Escalation
Publication date: 2026-05-21
Last updated on: 2026-05-21
Assigner: FreeBSD
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freebsd | freebsd | From 2026-05-19 (inc) to 2026-05-20 (inc) |
| freebsd | libcap_net | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the cap_net service of FreeBSD's libcap_net component. When an application modifies its network operation limits by providing a new limit list that omits a key present in the old limit, the system incorrectly treats the missing key as "allow any" instead of rejecting it.
As a result, an application that previously had restricted network permissions could extend its permissions unintentionally by omitting keys, effectively gaining broader network access than intended.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing applications to escalate their network permissions beyond what was originally restricted. An application that was limited to a subset of network operations could exploit this flaw to gain broader network access, potentially leading to unauthorized network activity.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, users should upgrade their FreeBSD systems to the updated stable and release branches dated after May 19-20, 2026.
Upgrades can be performed using pkg, freebsd-update, or by applying the provided source code patches.
No workaround exists for this issue, so applying the update is the only effective mitigation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an application to extend its network permissions beyond intended restrictions by incorrectly treating omitted keys in the cap_net service limit list as "allow any" instead of rejecting them.
Such unintended permission escalation could lead to unauthorized network operations, potentially resulting in unauthorized access to sensitive data or systems.
Consequently, this flaw could negatively impact compliance with standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive information.
Organizations relying on FreeBSD systems affected by this vulnerability should upgrade to the fixed versions to maintain compliance and reduce risk.