CVE-2026-25740 in nixpkgs
Summary
by MITRE • 02/09/2026
captive browser, a dedicated Chrome instance to log into captive portals without messing with DNS settings. In 25.05 and earlier, when programs.captive-browser is enabled, any user of the system can run arbitrary commands with the CAP_NET_RAW capability (binding to privileged ports, spoofing localhost traffic from privileged services...). This vulnerability is fixed in 25.11 and 26.05.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/09/2026
The vulnerability described in CVE-2026-25740 affects captive browser, a specialized Chrome instance designed to handle captive portal authentication without altering DNS configurations. This tool operates as a dedicated browser environment that enables users to authenticate to network portals while maintaining system network integrity. The flaw exists in versions 25.05 and earlier where the captive-browser feature becomes a critical security weakness when the programs.captive-browser setting is enabled. The vulnerability represents a privilege escalation issue that fundamentally undermines the security boundaries of the system's network access controls.
The technical implementation of this vulnerability stems from improper privilege handling within the captive browser component. When the programs.captive-browser configuration is active, the system grants users with access to the captive browser interface the capability to execute arbitrary commands with the CAP_NET_RAW capability. This Linux capability allows processes to bind to privileged ports below 1024, forge network packets, and spoof localhost traffic originating from privileged services. The flaw essentially enables any local user to elevate their privileges to perform network-level operations that should be restricted to system administrators or privileged processes. This capability directly violates the principle of least privilege and creates a pathway for unauthorized network manipulation.
The operational impact of this vulnerability extends beyond simple privilege escalation, creating significant risks for network security and system integrity. An attacker with local access could exploit this vulnerability to intercept or manipulate traffic between privileged services and localhost, potentially compromising authentication mechanisms, accessing sensitive data, or conducting man-in-the-middle attacks. The ability to bind to privileged ports allows for port redirection attacks and service impersonation, while spoofing capabilities could be used to bypass network security controls that rely on source address validation. This vulnerability essentially transforms any local user account into a potential network-level threat actor, undermining the security model of systems that depend on captive portal authentication for network access control.
Organizations affected by this vulnerability should immediately implement mitigations including updating to versions 25.11 or 26.05 where the issue has been resolved. The fix addresses the root cause by properly restricting the capabilities granted to the captive browser process and ensuring that network-level privileges are not unnecessarily exposed to unprivileged users. System administrators should also consider implementing additional controls such as monitoring for unauthorized access to captive browser functionality and reviewing access permissions for system components. The vulnerability aligns with CWE-276, which addresses improper privileges, and relates to ATT&CK techniques involving privilege escalation and network sniffing. Organizations should conduct comprehensive security assessments to identify any potential exploitation attempts and ensure that all systems running affected versions of captive browser have been properly updated.