CVE-2026-45254
Analyzed Analyzed - Analysis Complete
cap_net Service Missing Key Rejection Leading to Permission Escalation

Publication date: 2026-05-21

Last updated on: 2026-05-21

Assigner: FreeBSD

Description
In the case of the cap_net service, when a key present in the old limit was omitted from the new limit, the missing key was treated as "allow any" instead of being rejected. In certain scenarios, an application that had previously restricted a subset of network operations could ask for a new limit that extended the permissions of the process.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-21
Last Modified
2026-05-21
Generated
2026-06-10
AI Q&A
2026-05-21
EPSS Evaluated
2026-06-09
NVD
CVE-2026-45254
EUVD
EUVD-2026-31264
Affected Vendors & Products
Showing 29 associated CPEs
Vendor Product Version / Range
freebsd freebsd 15.0
freebsd freebsd 15.0
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 15.0
freebsd freebsd 14.4
freebsd freebsd 15.0
freebsd freebsd 14.3
freebsd freebsd 14.4
freebsd freebsd 15.0
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.4
freebsd freebsd 14.4
freebsd freebsd 15.0
freebsd freebsd 15.0
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.4
freebsd freebsd 14.4
freebsd freebsd 15.0
freebsd freebsd 15.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the cap_net service of FreeBSD's libcap_net component. When an application modifies its network operation limits by providing a new limit list that omits a key present in the old limit, the system incorrectly treats the missing key as "allow any" instead of rejecting it.

As a result, an application that previously had restricted network permissions could extend its permissions unintentionally by omitting keys, effectively gaining broader network access than intended.

Impact Analysis

This vulnerability can impact you by allowing applications to escalate their network permissions beyond what was originally restricted. An application that was limited to a subset of network operations could exploit this flaw to gain broader network access, potentially leading to unauthorized network activity.

Mitigation Strategies

To mitigate this vulnerability, users should upgrade their FreeBSD systems to the updated stable and release branches dated after May 19-20, 2026.

Upgrades can be performed using pkg, freebsd-update, or by applying the provided source code patches.

No workaround exists for this issue, so applying the update is the only effective mitigation.

Compliance Impact

This vulnerability allows an application to extend its network permissions beyond intended restrictions by incorrectly treating omitted keys in the cap_net service limit list as "allow any" instead of rejecting them.

Such unintended permission escalation could lead to unauthorized network operations, potentially resulting in unauthorized access to sensitive data or systems.

Consequently, this flaw could negatively impact compliance with standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive information.

Organizations relying on FreeBSD systems affected by this vulnerability should upgrade to the fixed versions to maintain compliance and reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45254. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart