Home

Description

When bsdinstall or bsdconfig are prompted to scan for nearby Wi-Fi networks, they build up a list of network names and use bsddialog(1) to prompt the user to select a network. This is implemented using a shell script, and the code which handled network names was not careful to prevent expansion by the shell. As a result, a suitably crafted network name can be used to execute commands via a subshell. The problem can be exploited to execute code as root on the system running bsdinstall or bsdconfig. The attacker would need to create an access point with a specially crafted name and be within range of a Wi-Fi scan. Note that bsdinstall and bsdconfig are vulnerable as soon as the user prompts them to scan for nearby networks; they do not need to actually select the malicious network.

PUBLISHED Reserved 2026-05-11 | Published 2026-05-21 | Updated 2026-05-21 | Assigner freebsd

Problem types

CWE-78: Improper Neutralization of Special Elements used in an OS Command

Product status

Default status
unknown

15.0-RELEASE (release) before p9
affected

14.4-RELEASE (release) before p5
affected

14.3-RELEASE (release) before p14
affected

Credits

Austin Ralls finder

References

security.freebsd.org/...ries/FreeBSD-SA-26:23.bsdinstall.asc vendor-advisory

cve.org (CVE-2026-45255)

nvd.nist.gov (CVE-2026-45255)

Download JSON