CVE-2026-45255: FreeBSD bsdinstall/bsdconfig RCE Flaw

CVE-2026-45255 Overview

CVE-2026-45255 is a command injection vulnerability [CWE-78] in the FreeBSD bsdinstall and bsdconfig utilities. The flaw resides in the shell script that processes Wi-Fi network names returned by a wireless scan. The script passes scanned SSID strings to bsddialog(1) without preventing shell expansion. An attacker within Wi-Fi range can broadcast an access point with a specially crafted SSID to execute arbitrary commands as root on the scanning host. The target system becomes vulnerable the moment a user initiates a Wi-Fi scan, even if the malicious network is never selected.

Critical Impact

A nearby attacker broadcasting a malicious SSID can achieve root code execution on any FreeBSD system running bsdinstall or bsdconfig during a Wi-Fi scan.

Affected Products

• FreeBSD bsdinstall utility
• FreeBSD bsdconfig utility
• FreeBSD operating system distributions shipping the vulnerable installer scripts

Discovery Timeline

• 2026-05-21 - CVE-2026-45255 published to NVD
• 2026-05-21 - Last updated in NVD database

Technical Details for CVE-2026-45255

Vulnerability Analysis

The vulnerability lives in shell script logic that builds a network selection menu after a Wi-Fi scan. The script collects SSIDs from the wireless interface and concatenates them into command arguments passed to bsddialog(1). Because the script does not quote or sanitize these values, the shell evaluates metacharacters within the SSID. An SSID containing a command substitution sequence such as backticks or $(...) triggers a subshell that runs attacker-controlled commands. The scanning process executes as root during installation or system configuration, so injected commands inherit full privileges.

Exploitation requires no user interaction beyond initiating the network scan. The vulnerable code path runs before any network is selected, meaning passive enumeration is sufficient to trigger execution. This pre-authentication, pre-association attack model removes the usual barriers that protect Wi-Fi clients.

Root Cause

The root cause is improper neutralization of special elements in an OS command [CWE-78]. SSID strings flow from untrusted radio input into a shell context without being quoted or filtered. Shell word splitting and command substitution then transform attacker data into executable code.

Attack Vector

An attacker configures a rogue access point with an SSID that embeds shell metacharacters and a payload. The attacker positions the access point within radio range of a FreeBSD host. When an administrator launches bsdinstall or bsdconfig and selects the Wi-Fi scan option, the malicious SSID is read, expanded by the shell, and the payload runs as root.

No verified exploit code is published. The mechanism is described in the FreeBSD Security Advisory.

Detection Methods for CVE-2026-45255

Indicators of Compromise

• Unexpected child processes spawned by bsdinstall or bsdconfig during or immediately after a Wi-Fi scan.
• Shell processes executing with root privileges that originate from installer or configuration utilities.
• Outbound network connections, new user accounts, or modified system files appearing shortly after a wireless scan on a FreeBSD host.

Detection Strategies

• Monitor process ancestry for sh or other interpreter children launched by bsdinstall, bsdconfig, or bsddialog outside expected workflows.
• Audit shell command history and /var/log entries on FreeBSD hosts that recently performed wireless scans during installation or configuration.
• Inspect nearby Wi-Fi environments for SSIDs containing shell metacharacters such as backticks, $(, ;, or |.

Monitoring Recommendations

• Enable verbose process auditing on FreeBSD systems using auditd with rules covering installer utilities.
• Forward installer and shell execution events to a centralized logging platform for correlation across hosts.
• Alert on any execution of bsdinstall or bsdconfig on production systems, where these tools should rarely run.

How to Mitigate CVE-2026-45255

Immediate Actions Required

• Apply the patched bsdinstall and bsdconfig scripts from the FreeBSD Security Advisory on all FreeBSD systems.
• Avoid initiating Wi-Fi scans from bsdinstall or bsdconfig on unpatched systems, particularly in untrusted radio environments.
• Perform FreeBSD installations using wired connections until the patch is applied.

Patch Information

FreeBSD has issued advisory FreeBSD-SA-26:23.bsdinstall with corrected shell scripts that properly quote SSID values before passing them to bsddialog(1). Administrators should apply the binary patch using freebsd-update or rebuild affected components from the patched source tree.

Workarounds

• Disable or remove the Wi-Fi scan option in installer workflows until patches are deployed.
• Use a wired Ethernet connection during installation and initial configuration to bypass the vulnerable code path.
• Operate FreeBSD installation media in physically controlled environments away from untrusted wireless networks.