The flaw in the libcap_net service causes any capability key omitted from an old limit to be treated as "allow any" rather than being rejected when a new limit is applied. This unintended allowance means an application that had previously restricted a subset of network operations could request a new limit that expands the process's network privileges, effectively granting the application higher‑than‑intended rights. The vulnerability is a classic example of Improper Restriction of Operations within the Bounds of a Task (CWE‑269). The result is the ability for a local or potentially compromised application to gain unauthorized network capabilities, which could lead to data exfiltration, unauthorized service connections, or other network‑based abuse.

The issue affects the FreeBSD operating system when the cap_net service is in use. Any FreeBSD release that incorporates the vulnerable libcap_net implementation is at risk, as specific version ranges are not provided.

A CVSS score of 6.5 indicates moderate severity, and the EPSS score of <1% suggests a low exploitation probability. The KEV catalog does not mention this vulnerability, indicating no publicly known exploitation. Nevertheless, because the flaw permits privilege escalation for network capabilities when an application can re‑define capability limits, systems that rely on strict capability boundaries are at moderate‑to‑high risk. The attack likely requires local execution or an application that can invoke cap_net, making it a relevant threat for services that treat capability changes as privileged operations.