Description
captive browser, a dedicated Chrome instance to log into captive portals without messing with DNS settings. In 25.05 and earlier, when programs.captive-browser is enabled, any user of the system can run arbitrary commands with the CAP_NET_RAW capability (binding to privileged ports, spoofing localhost traffic from privileged services...). This vulnerability is fixed in 25.11 and 26.05.
Published: 2026-02-09
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation to CAP_NET_RAW capability
Action: Apply patch
AI Analysis

Impact

A user can trigger the programs.captive-browser module to run arbitrary commands with the CAP_NET_RAW capability, allowing binding to privileged ports and spoofing localhost traffic. The weakness stems from improper privilege assignment (CWE-250) and can compromise system networking functions if exploited. The impact is confined to the user’s own session but grants elevated low‑level network control.

Affected Systems

This issue affects NixOS installations using the nixpkgs 25.05 release or earlier that enable the programs.captive-browser module. It is fixed in nixpkgs 25.11 and 26.05.

Risk and Exploitability

The CVSS score is 5.8 and the EPSS score is below 1%, indicating a moderate severity with low exploitation probability. The vulnerability is not listed in the KEV catalog. The likely attack vector is local, requiring an authenticated or otherwise logged‑in user to enable the module or execute commands within the system. No remote trigger is described, so a local privileged user can reach the CAP_NET_RAW capability through this path.

Generated by OpenCVE AI on April 17, 2026 at 21:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to nixpkgs 25.11 or later (e.g., 26.05) where the vulnerability is patched
  • If the captive browser feature is unnecessary, disable programs.captive-browser in the system configuration
  • Ensure that only trusted users have shell access to run the captive‑browser module

Generated by OpenCVE AI on April 17, 2026 at 21:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Nixos
Nixos captive-browser
Vendors & Products Nixos
Nixos captive-browser

Mon, 09 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
Description captive browser, a dedicated Chrome instance to log into captive portals without messing with DNS settings. In 25.05 and earlier, when programs.captive-browser is enabled, any user of the system can run arbitrary commands with the CAP_NET_RAW capability (binding to privileged ports, spoofing localhost traffic from privileged services...). This vulnerability is fixed in 25.11 and 26.05.
Title Privilege escalation to the `CAP_NET_RAW` capability via the `programs.captive-browser` NixOS module
Weaknesses CWE-250
References
Metrics cvssV4_0

{'score': 5.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Nixos Captive-browser
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-10T15:59:39.070Z

Reserved: 2026-02-05T16:48:00.428Z

Link: CVE-2026-25740

cve-icon Vulnrichment

Updated: 2026-02-10T15:30:17.720Z

cve-icon NVD

Status : Deferred

Published: 2026-02-09T21:15:49.163

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-25740

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T21:15:27Z

Weaknesses