Security Vulnerability Report
中文
CVE-2026-45254 CVSS 6.5 MEDIUM

CVE-2026-45254

Published: 2026-05-21 10:16:26
Last Modified: 2026-05-21 19:00:48
Source: [email protected]

Description

In the case of the cap_net service, when a key present in the old limit was omitted from the new limit, the missing key was treated as "allow any" instead of being rejected. In certain scenarios, an application that had previously restricted a subset of network operations could ask for a new limit that extended the permissions of the process.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:o:freebsd:freebsd:14.3:-:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:freebsd:freebsd:14.3:p1:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:freebsd:freebsd:14.3:p10:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:freebsd:freebsd:14.3:p11:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:freebsd:freebsd:14.3:p12:*:*:*:*:*:* - VULNERABLE
FreeBSD (受限于FreeBSD-SA-26:24影响)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
/* * PoC for CVE-2026-45254: FreeBSD cap_net Logic Flaw * This code demonstrates the concept where omitting a key in the new limit * results in "allow any" instead of rejection. */ #include <stdio.h> #include <stdlib.h> #include <string.h> // Hypothetical structure for cap_net limits struct cap_limit { char key[64]; int action; // 0: deny, 1: allow }; // Simulated vulnerable function to update limits void update_limits_vulnerable(struct cap_limit *old_limits, int old_count, struct cap_limit *new_limits, int new_count) { printf("[VULNERABLE] Updating limits...\n"); // In the vulnerable scenario, the system assumes missing keys are implicitly allowed for (int i = 0; i < old_count; i++) { int found = 0; for (int j = 0; j < new_count; j++) { if (strcmp(old_limits[i].key, new_limits[j].key) == 0) { found = 1; break; } } if (!found) { printf("Key '%s' omitted in new limits. Treating as ALLOW ANY (VULNERABILITY)!\n", old_limits[i].key); } } } int main() { // Initial strict limits: restrict HTTP and DNS struct cap_limit old_limits[2]; strcpy(old_limits[0].key, "net.http"); old_limits[0].action = 0; // Deny strcpy(old_limits[1].key, "net.dns"); old_limits[1].action = 0; // Deny // New limits: Only explicitly restrict HTTP, omitting DNS struct cap_limit new_limits[1]; strcpy(new_limits[0].key, "net.http"); new_limits[0].action = 0; // Deny // Trigger the vulnerable logic update_limits_vulnerable(old_limits, 2, new_limits, 1); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-45254", "sourceIdentifier": "[email protected]", "published": "2026-05-21T10:16:26.380", "lastModified": "2026-05-21T19:00:47.593", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the case of the cap_net service, when a key present in the old limit was omitted from the new limit, the missing key was treated as \"allow any\" instead of being rejected.\n\nIn certain scenarios, an application that had previously restricted a subset of network operations could ask for a new limit that extended the permissions of the process."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-269"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:-:*:*:*:*:*:*", "matchCriteriaId": "9DC7C54E-58AF-4ADE-84AF-0EF0F325E20E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p1:*:*:*:*:*:*", "matchCriteriaId": "D3D22B8C-36CF-4800-9673-0B0240558BDD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p10:*:*:*:*:*:*", "matchCriteriaId": "7296F5AA-F8C1-4277-A4EE-C2B24073A320"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p11:*:*:*:*:*:*", "matchCriteriaId": "C30E4A9C-0594-4F40-92B3-26CB9AA85AE9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p12:*:*:*:*:*:*", "matchCriteriaId": "9F83F91B-587A-433C-99DB-0D63E267FF16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p13:*:*:*:*:*:*", "matchCriteriaId": "44B9C2FC-756E-459F-8E68-C2C2B8C258AC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p2:*:*:*:*:*:*", "matchCriteriaId": "242FA2A8-5D7D-4617-A411-2651FF3A3E4C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p3:*:*:*:*:*:*", "matchCriteriaId": "40573F60-F3B7-4AEC-846A-B08E5B7D9D00"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p4:*:*:*:*:*:*", "matchCriteriaId": "1FB832CE-0A98-44A2-8BAC-CD38A64279B6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p5:*:*:*:*:*:*", "matchCriteriaId": "9A785F8E-C218-41AE-8D57-BF06DDAEF7CB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p6:*:*:*:*:*:*", "matchCriteriaId": "C3909FDD-B2A2-45B6-A40B-1D303A717F15"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p7:*:*:*:*:*:*", "matchCriteriaId": "720597A2-F181-46E1-8A0D-097E17ADC4FB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p8:*:*:*:*:*:*", "matchCriteriaId": "DC8A75D0-148A-427A-9783-45477EABED21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p9:*:*:*:*:*:*", "matchCriteriaId": "F5D39FC9-6DBA-46C8-BB80-A6188E6A8527"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:14.4:-:*:*:*:*:*:*", "matchCriteriaId": "8F3856BE-666F-4FA1-A6AD-FE179CEBF1E4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:14.4:p1:*:*:*:*:*:*", "matchCriteriaId": "D9CC0037-3282-42C3-80D8-F6C1D43B9332"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:14.4:p2:*:*:*:*:*:*", "matchCriteriaId": "1EADA828-3C20-43C0-A0CA-3AC7D7F23DBD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:14.4:p3:*:*:*:*:*:*", "matchCriteriaId": "53D73FD2-4B06-47D3-BA2A-4363E9DE3565"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:14.4:p4:*:*:*:*:*:*", "matchCriteriaId": "D726890B-E679-43A9-A211-D5C05BBE3941"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:14.4:rc1:*:*:*:*:*:*", "matchCriteriaId": "0342A715-E211-4AF6-97ED-32EB9EBB947D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:15.0:-:*:*:*:*:*:*", "matchCriteriaId": "368CFE5D-C5C2-42AF-AAF4-28DFE1A59C3B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:15.0:p1:*:*:*:*:*:*", "matchCriteriaId": "AA4AAA57-70A7-4717-ACF2-A253E757FF2C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:15.0:p2:*:*:*:*:*:*", "matchCriteriaId": "E24ABFA6-4D12-4DE5-832B-438502C7D188"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:15.0:p3:*:*:*:*:*:*", "matchCriteriaId": "C1C9869C-494B-4628-9AA3-4AA5B989C377"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:15.0:p4:*:*:*:*:*:*", "matchCriteriaId": "002AA2FE-C7BA-471A-9434-0E56A878ACBF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:15.0:p5:*:*:*:*:*:*", "matchCriteriaId": "B187670D-E3A2-4A0D-A653-982F8B44 ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.