CVE-2026-25740 Privilege escalation to the `CAP_NET_RAW` capability via the `programs.captive-browser` NixOS module

captive browser, a dedicated Chrome instance to log into captive portals without messing with DNS settings. In 25.05 and earlier, when programs.captive-browser is enabled, any user of the system can run arbitrary commands with the CAPNETRAW capability binding to privileged ports, spoofing localho...

CVE-2026-25740

Summary : CVE-2026-25740 describes a local privilege escalation in NixOS where enabling the captive-browser module (programs.captive-browser) allows any user to run arbitrary commands with the CAP_NET_RAW capability in 25.05 and earlier. The underlying issue enables binding to privileged ports an...

Nixpkgs 安全漏洞

Nixpkgs is a collection of over 100,000 software packages open source from NixOS. It can be installed using the Nix package manager. Nixpkgs versions 25.05 and earlier contained security vulnerabilities. These vulnerabilities stemmed from the ability for any system user to execute commands with t...

PT-2026-7151

captive browser, a dedicated Chrome instance to log into captive portals without messing with DNS settings. In 25.05 and earlier, when programs.captive-browser is enabled, any user of the system can run arbitrary commands with the CAP NET RAW capability binding to privileged ports, spoofing...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-000592)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-000592 advisory. Race condition in net/packet/afpacket.c in the Linux kernel through 4.8.12 allows local users to gain privileges or cause a denial of service use-after-free by...

SUSE CVE-2019-17054

atalkcreate in net/appletalk/ddp.c in the AFAPPLETALK network module in the Linux kernel through 5.3.2 does not enforce CAPNETRAW, which means that unprivileged users can create a raw socket, aka CID-6cc03e8aa36c...

SUSE CVE-2020-13401

An issue was discovered in Docker Engine before 19.03.11. An attacker in a container, with the CAPNETRAW capability, can craft IPv6 router advertisements, and consequently spoof external IPv6 hosts, obtain sensitive information, or cause a denial of service...

kernel: net/packet: slab-out-of-bounds access in packet_recvmsg()

An out-of-bounds access issue was found in the Linux kernel networking subsystem in the way raw packet sockets AFPACKET used PACKETCOPYTHRESH and mmap operations. A local attacker with CAPNETRAW capability could use this flaw to trigger a buffer overflow resulting in a system crash or privilege...

kernel: net/packet: slab-out-of-bounds access in packet_recvmsg()

An out-of-bounds access issue was found in the Linux kernel networking subsystem in the way raw packet sockets AFPACKET used PACKETCOPYTHRESH and mmap operations. A local attacker with CAPNETRAW capability could use this flaw to trigger a buffer overflow resulting in a system crash or privilege...

DEBIAN-CVE-2021-23134

Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAPNETRAW capability...

UBUNTU-CVE-2018-1065

The netfilter subsystem in the Linux kernel through 4.15.7 mishandles the case of a rule blob that contains a jump but lacks a user-defined chain, which allows local users to cause a denial of service NULL pointer dereference by leveraging the CAPNETRAW or CAPNETADMIN capability, related to...

PT-2018-10028 · Linux +3 · Linux Kernel +3

Name of the Vulnerable Software and Affected Versions: Linux kernel versions through 4.15.7 Description: The netfilter subsystem in the Linux kernel mishandles the case of a rule blob that contains a jump but lacks a user-defined chain, which allows local users to cause a denial of service NULL...

The vulnerability of the packet_set_ring function in the kernel of Linux operating systems allows a attacker to increase their privileges, cause service failures, or execute arbitrary code.

The vulnerability of the packetsetring function in the Linux operating system’s kernel is related to deficiencies in access control. Exploiting this vulnerability allows a malicious actor, who has local privileges as CAPNETRAW, to create PFPACKET sockets, initiate racing states and memory usage...

kernel: Heap out-of-bounds read in AF_PACKET sockets

A race condition issue was found in the way the raw packet socket implementation in the Linux kernel networking subsystem handled synchronization. A local user able to open a raw packet socket requires the CAPNETRAW capability could use this to waste resources in the kernel's ring buffer or...

PT-2017-3105 · Linux +5 · Linux Kernel +5

Name of the Vulnerable Software and Affected Versions: Linux kernel affected versions not specified Description: The issue is related to a heap out-of-bounds condition in AF PACKET sockets, similar to a previously disclosed problem. It involves a race condition between a socket option that change...

DEBIAN-CVE-2017-7308

The packetsetring function in net/packet/afpacket.c in the Linux kernel through 4.10.6 does not properly validate certain block-size data, which allows local users to cause a denial of service integer signedness error and out-of-bounds write, or gain privileges if the CAPNETRAW capability is held...

UBUNTU-CVE-2017-7308

The packetsetring function in net/packet/afpacket.c in the Linux kernel through 4.10.6 does not properly validate certain block-size data, which allows local users to cause a denial of service integer signedness error and out-of-bounds write, or gain privileges if the CAPNETRAW capability is held...

PT-2016-2922 · Linux +5 · Linux Kernel +5

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 4.8.12 Description: The issue exists due to insufficient checking of a resource's state when it can be shared, allowing a local attacker to potentially gain privileges or cause a denial of service use-after-free...

kernel: net/packet/af_packet.c: reading uninitialized stack memory

net/packet/afpacket.c in the Linux kernel before 2.6.37-rc2 does not properly initialize certain structure members, which allows local users to obtain potentially sensitive information from kernel stack memory by leveraging the CAPNETRAW capability to read copies of the applicable structures...

PT-2011-1106 · Linux +1 · Linux Kernel +1

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 2.6.37-rc2 kernel-devel-2.6.9 kernel-doc-2.6.9 kernel-hugemem-2.6.9 kernel-2.6.9 kernel-largesmp-2.6.9 kernel-smp-devel-2.6.9 kernel-smp-2.6.9 kernel-hugemem-devel-2.6.9 kernel-largesmp-devel-2.6.9...