CVE-2026-25740

Summary

captive browser, a dedicated Chrome instance to log into captive portals without messing with DNS settings. In 25.05 and earlier, when programs.captive-browser is enabled, any user of the system can run arbitrary commands with the CAP_NET_RAW capability (binding to privileged ports, spoofing localhost traffic from privileged services…). This vulnerability is fixed in 25.11 and 26.05.

Affected Software

VendorProductVersion RangeStatus
NixOSnixpkgs<= 25.05affected

Weaknesses

  • CWE-250: CWE-250: Execution with Unnecessary Privileges

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References