CVE-2026-25740
📋 TL;DR
This vulnerability in captive-browser allows any system user to execute arbitrary commands with CAP_NET_RAW capability, enabling them to bind to privileged ports and spoof localhost traffic from privileged services. It affects NixOS systems with programs.captive-browser enabled in versions 25.05 and earlier.
💻 Affected Systems
- captive-browser (NixOS package)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could intercept or manipulate traffic from privileged services running on localhost, potentially leading to credential theft, service disruption, or lateral movement within the network.
Likely Case
Local privilege escalation allowing unauthorized users to perform network operations typically restricted to privileged processes, potentially enabling traffic monitoring or service impersonation.
If Mitigated
Limited impact if proper access controls and network segmentation are in place, though local users could still abuse network capabilities.
🎯 Exploit Status
Exploitation requires local user access but is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 25.11 and 26.05
Vendor Advisory: https://github.com/NixOS/nixpkgs/security/advisories/GHSA-wc3r-c66x-8xmc
Restart Required: Yes
Instructions:
1. Update NixOS to version 25.11 or 26.05. 2. Rebuild system configuration. 3. Reboot system to apply changes.
🔧 Temporary Workarounds
Disable captive-browser
linuxTemporarily disable the vulnerable component until patching is possible
nixos-rebuild switch --option programs.captive-browser.enable false
🧯 If You Can't Patch
- Restrict local user access to affected systems
- Implement network monitoring for unusual localhost traffic patterns
🔍 How to Verify
Check if Vulnerable:
Check if programs.captive-browser is enabled and NixOS version is 25.05 or earlierCheck Version:
nixos-versionVerify Fix Applied:
Verify NixOS version is 25.11 or 26.05 and captive-browser functionality works without granting CAP_NET_RAW to users📡 Detection & Monitoring
Log Indicators:
- Unusual processes running with CAP_NET_RAW capability
- Unexpected network binds to privileged ports
Network Indicators:
- Suspicious localhost traffic patterns
- Unexpected services listening on privileged ports
SIEM Query:
process where capability contains 'cap_net_raw' and user != 'root'