CVE-2026-45255

7.5 HIGH

When bsdinstall or bsdconfig are prompted to scan for nearby Wi-Fi networks, they build up a list of network names and use bsddialog(1) t...

Published: 2026-05-21 · Last updated: 2026-05-21

Severity and scoring

CVSS: 7.5 HIGH
Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78

Affected products

Vendor	Product
freebsd	freebsd

Description

When bsdinstall or bsdconfig are prompted to scan for nearby Wi-Fi networks, they build up a list of network names and use bsddialog(1) to prompt the user to select a network. This is implemented using a shell script, and the code which handled network names was not careful to prevent expansion by the shell. As a result, a suitably crafted network name can be used to execute commands via a subshell. The problem can be exploited to execute code as root on the system running bsdinstall or bsdconfig. The attacker would need to create an access point with a specially crafted name and be within range of a Wi-Fi scan. Note that bsdinstall and bsdconfig are vulnerable as soon as the user prompts them to scan for nearby networks; they do not need to actually select the malicious network.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-45255
[Vendor advisory]https://security.freebsd.org/advisories/FreeBSD-SA-26:23.bsdinstall.asc

Related CVEs

Same vendor

CVE-2026-45254 — In the case of the cap_net service, when a key present in the old limit was omitted from the new limit, the missing key was treated as "a... (6.5 MEDIUM)
CVE-2026-45253 — ptrace(PT_SC_REMOTE) failed to properly validate parameters for the syscall(2) and __syscall(2) meta-system calls (8.4 HIGH)
CVE-2026-45252 — When a fusefs file system implements extended attributes, the kernel may send a FUSE_LISTXATTR message to the userspace daemon to retriev... (5.5 MEDIUM)
CVE-2026-45251 — A file descriptor can be closed while a thread is blocked in a poll(2) or select(2) call waiting for that descriptor (7.8 HIGH)
CVE-2026-39461 — libcasper(3) communicates with helper processes via UNIX domain sockets, and uses the select(2) system call to wait for data to become av... (8.8 HIGH)

Same CWE

CVE-2026-22313 — The device has a webserver that exposes a REST API authenticated with a token on the management network (9.1 CRITICAL)
CVE-2026-44932 — Passing of unsanitized strings from DHCP replies into the wicked dhcp client before wicked 0.6.79 could be used by attackers operating a ... (8.8 HIGH)
CVE-2026-12398 — A command injection vulnerability was found in galaxy_ng (7.5 HIGH)
CVE-2026-5416 — Due to the improper neutralization of special elements used in a name parameter a low privileged remote attacker can exploit a command in... (8.8 HIGH)
CVE-2026-12161 — Improper input validation in the SSH Elevate Shell feature in Devolutions Remote Desktop Manager 2026.2.7 allows an authenticated user ... (8.8 HIGH)