CVE-2026-25740 Overview
CVE-2026-25740 is a privilege escalation vulnerability in captive-browser, a dedicated Chrome instance designed to log into captive portals without interfering with DNS settings. When programs.captive-browser is enabled on NixOS systems running version 25.05 and earlier, any local user can execute arbitrary commands with the CAP_NET_RAW Linux capability. This dangerous capability grants attackers the ability to bind to privileged ports and spoof localhost traffic from privileged services, potentially leading to significant security compromises.
Critical Impact
Local users can exploit this vulnerability to gain elevated network capabilities, enabling privileged port binding and localhost traffic spoofing that could compromise system services.
Affected Products
- NixOS with captive-browser version 25.05 and earlier
- NixOS systems with programs.captive-browser enabled
Discovery Timeline
- 2026-02-09 - CVE-2026-25740 published to NVD
- 2026-02-09 - Last updated in NVD database
Technical Details for CVE-2026-25740
Vulnerability Analysis
This vulnerability falls under CWE-250 (Execution with Unnecessary Privileges), where the captive-browser component grants excessive capabilities to processes that do not require them. The core issue stems from improper privilege management in the NixOS captive-browser module, which inadvertently allows any authenticated local user to inherit the CAP_NET_RAW capability when executing commands through the affected component.
The CAP_NET_RAW capability is particularly dangerous because it bypasses normal restrictions on raw socket operations. An attacker exploiting this vulnerability could create raw network sockets to capture or inject network traffic, bind to ports below 1024 that are typically reserved for privileged services, and spoof network traffic appearing to originate from localhost or other trusted sources.
Root Cause
The vulnerability originates from a configuration flaw in how the captive-browser NixOS module handles Linux capabilities. When programs.captive-browser is enabled, the module fails to properly isolate the elevated CAP_NET_RAW capability, allowing it to be inherited by arbitrary user commands. This represents an execution with unnecessary privileges issue, as the capability should be strictly limited to the specific captive portal authentication operations.
Attack Vector
The attack requires local access to an affected NixOS system where programs.captive-browser has been enabled. An authenticated local attacker can leverage this misconfiguration to execute arbitrary commands with the CAP_NET_RAW capability, granting them unauthorized network-level privileges.
The exploitation scenario involves an attacker identifying a NixOS system with captive-browser enabled, then executing commands through the vulnerable pathway to inherit the CAP_NET_RAW capability. Once obtained, this capability enables the attacker to perform privileged network operations such as binding to ports below 1024 or spoofing traffic from trusted localhost services.
Detection Methods for CVE-2026-25740
Indicators of Compromise
- Unexpected raw socket creation by non-root user processes
- User processes binding to privileged ports (below 1024) without proper authorization
- Unusual network traffic originating from localhost addresses that doesn't match legitimate service patterns
- Log entries indicating captive-browser processes spawning unexpected child processes
Detection Strategies
- Monitor for processes with CAP_NET_RAW capability that are owned by unprivileged users using getpcaps or similar tools
- Audit NixOS configuration files for programs.captive-browser.enable = true on affected versions
- Implement network monitoring to detect localhost traffic spoofing attempts
- Review system logs for unusual captive-browser activity or unexpected capability inheritance
Monitoring Recommendations
- Deploy host-based intrusion detection systems (HIDS) to monitor capability assignments and privilege escalation attempts
- Enable detailed process auditing to track capability inheritance across process boundaries
- Monitor network bindings to privileged ports and alert on unauthorized access
- Implement SentinelOne's behavioral AI to detect anomalous process activity associated with capability abuse
How to Mitigate CVE-2026-25740
Immediate Actions Required
- Upgrade NixOS to version 25.11 or 26.05 which contain the fix for this vulnerability
- If immediate upgrade is not possible, disable programs.captive-browser in your NixOS configuration
- Audit systems for any signs of exploitation using the detection methods outlined above
- Review and restrict local user access on affected systems until patches are applied
Patch Information
The vulnerability has been addressed in NixOS versions 25.11 and 26.05. Security fixes are available through the following pull requests:
For complete technical details, refer to the GitHub Security Advisory GHSA-wc3r-c66x-8xmc.
Workarounds
- Disable captive-browser functionality by setting programs.captive-browser.enable = false in your NixOS configuration
- Implement strict user access controls to limit which users can access the affected system
- Deploy network segmentation to minimize the impact of potential localhost traffic spoofing
- Use SentinelOne Singularity Platform to detect and block exploitation attempts through behavioral monitoring
# Disable captive-browser in NixOS configuration
# Edit your configuration.nix file and ensure:
programs.captive-browser.enable = false;
# Then rebuild your NixOS configuration
sudo nixos-rebuild switch
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
