CVEFinder.io

CVE-2026-45255

⚠️ high
🔍 Scan for this CVE
Summary

When bsdinstall or bsdconfig are prompted to scan for nearby Wi-Fi networks, they build up a list of network names and use bsddialog(1) to prompt the user to select a network. This is implemented using a shell script, and the code which handled network names was not careful to prevent expansion by the shell. As a result, a suitably crafted network name can be used to execute commands via a subshell. The problem can be exploited to execute code as root on the system running bsdinstall or bsdco

Description

When bsdinstall or bsdconfig are prompted to scan for nearby Wi-Fi networks, they build up a list of network names and use bsddialog(1) to prompt the user to select a network. This is implemented using a shell script, and the code which handled network names was not careful to prevent expansion by the shell. As a result, a suitably crafted network name can be used to execute commands via a subshell.

The problem can be exploited to execute code as root on the system running bsdinstall or bsdconfig. The attacker would need to create an access point with a specially crafted name and be within range of a Wi-Fi scan. Note that bsdinstall and bsdconfig are vulnerable as soon as the user prompts them to scan for nearby networks; they do not need to actually select the malicious network.

CVSS Score
7.5
High
EPSS Score
0.0
Exploit Probability
Published Date
2026-05-21
First Seen: 2026-05-22
📊 Relative Risk Intelligence

This CVE is Moderate Risk - more severe than 69.0% of all 328,009 vulnerabilities in our database.

#101,817
Above average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: May 21, 2026
🔍 Exploitation Status
None
No known exploits
⚙️ Automatable
NO
Requires human interaction
💥 Technical Impact
Total
Complete system compromise possible
🏆 Discovered By
Austin Ralls
SSVC data provided by CISA
Last Modified 2026-05-21
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE IDs (Weakness Types)
CWE-78

📦 Affected Products 3

Vendor Product Status Affected Versions
freebsd freebsd Affected
v14.3
freebsd freebsd Affected
v14.4
freebsd freebsd Affected
v15.0

🔗 References 1

https://security.freebsd.org/advisories/FreeBSD-SA-2...
Vendor Advisory

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-45250 ⚠️ high 7.8 0.0 The setcred(2) system call is only available to privileged users. However, before the privilege level of the caller is ... 2026-05-21
CVE-2026-39461 ⚠️ high 8.8 0.0 libcasper(3) communicates with helper processes via UNIX domain sockets, and uses the select(2) system call to wait for ... 2026-05-21
CVE-2026-45251 ⚠️ high 7.8 0.0 A file descriptor can be closed while a thread is blocked in a poll(2) or select(2) call waiting for that descriptor. B... 2026-05-21
CVE-2026-45252 🔶 medium 5.5 0.1 When a fusefs file system implements extended attributes, the kernel may send a FUSE_LISTXATTR message to the userspace ... 2026-05-21
CVE-2026-45253 ⚠️ high 8.4 0.0 ptrace(PT_SC_REMOTE) failed to properly validate parameters for the syscall(2) and __syscall(2) meta-system calls. As a... 2026-05-21
CVE-2026-45254 🔶 medium 6.5 0.0 In the case of the cap_net service, when a key present in the old limit was omitted from the new limit, the missing key ... 2026-05-21
These CVEs affect the same products