CVE-2026-45255

HIGH

Remote code execution via installer Wi-Fi access point scans

Title source: cna

Description

When bsdinstall or bsdconfig are prompted to scan for nearby Wi-Fi networks, they build up a list of network names and use bsddialog(1) to prompt the user to select a network. This is implemented using a shell script, and the code which handled network names was not careful to prevent expansion by the shell. As a result, a suitably crafted network name can be used to execute commands via a subshell. The problem can be exploited to execute code as root on the system running bsdinstall or bsdconfig. The attacker would need to create an access point with a specially crafted name and be within range of a Wi-Fi scan. Note that bsdinstall and bsdconfig are vulnerable as soon as the user prompts them to scan for nearby networks; they do not need to actually select the malicious network.

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory

https://security.freebsd.org/advisories/FreeBSD-SA-26:23.bsdinstall.asc

Scores

CVSS v3 7.5

EPSS 0.0001

EPSS Percentile 0.7%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (6)

freebsd/freebsd 14.3 (14 CPE variants)

freebsd/freebsd 14.4 (6 CPE variants)

freebsd/freebsd 15.0 (9 CPE variants)

FreeBSD/FreeBSD 14.3-RELEASE - p14

FreeBSD/FreeBSD 14.4-RELEASE - p5

FreeBSD/FreeBSD 15.0-RELEASE - p9

Published May 21, 2026

Tracked Since May 21, 2026