Remote code execution via installer Wi-Fi access point scans

CVE	CVE-2026-45255
State	PUBLISHED
Assigner	freebsd
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-05-21 10:16:26 UTC
Updated	2026-05-21 19:00:34 UTC
Description	When bsdinstall or bsdconfig are prompted to scan for nearby Wi-Fi networks, they build up a list of network names and use bsddialog(1) to prompt the user to select a network. This is implemented using a shell script, and the code which handled network names was not careful to prevent expansion by the shell. As a result, a suitably crafted network name can be used to execute commands via a subshell. The problem can be exploited to execute code as root on the system running bsdinstall or bsdconfig. The attacker would need to create an access point with a specially crafted name and be within range of a Wi-Fi scan. Note that bsdinstall and bsdconfig are vulnerable as soon as the user prompts them to scan for nearby networks; they do not need to actually select the malicious network.

Primary CVSS: v3.1 7.5 HIGH from ADP

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS: 0.000090000 probability, percentile 0.009840000 (date 2026-05-27)

Problem Types: CWE-78 | CWE-78 CWE-78: Improper Neutralization of Special Elements used in an OS Command

Version	Source	Type	Score	Severity	Vector
3.1	ADP	DECLARED	7.5	HIGH	`CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`
3.1	134c704f-9b21-4f2e-91b3-4a467353bcc0	Secondary	7.5	HIGH	`CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`

Attack Vector

Adjacent

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Freebsd	Freebsd	14.3	-	All	All
Operating System	Freebsd	Freebsd	14.3	p1	All	All
Operating System	Freebsd	Freebsd	14.3	p10	All	All
Operating System	Freebsd	Freebsd	14.3	p11	All	All
Operating System	Freebsd	Freebsd	14.3	p12	All	All
Operating System	Freebsd	Freebsd	14.3	p13	All	All
Operating System	Freebsd	Freebsd	14.3	p2	All	All
Operating System	Freebsd	Freebsd	14.3	p3	All	All
Operating System	Freebsd	Freebsd	14.3	p4	All	All
Operating System	Freebsd	Freebsd	14.3	p5	All	All
Operating System	Freebsd	Freebsd	14.3	p6	All	All
Operating System	Freebsd	Freebsd	14.3	p7	All	All
Operating System	Freebsd	Freebsd	14.3	p8	All	All
Operating System	Freebsd	Freebsd	14.3	p9	All	All
Operating System	Freebsd	Freebsd	14.4	-	All	All
Operating System	Freebsd	Freebsd	14.4	p1	All	All
Operating System	Freebsd	Freebsd	14.4	p2	All	All
Operating System	Freebsd	Freebsd	14.4	p3	All	All
Operating System	Freebsd	Freebsd	14.4	p4	All	All
Operating System	Freebsd	Freebsd	14.4	rc1	All	All
Operating System	Freebsd	Freebsd	15.0	-	All	All
Operating System	Freebsd	Freebsd	15.0	p1	All	All
Operating System	Freebsd	Freebsd	15.0	p2	All	All
Operating System	Freebsd	Freebsd	15.0	p3	All	All
Operating System	Freebsd	Freebsd	15.0	p4	All	All
Operating System	Freebsd	Freebsd	15.0	p5	All	All
Operating System	Freebsd	Freebsd	15.0	p6	All	All
Operating System	Freebsd	Freebsd	15.0	p7	All	All
Operating System	Freebsd	Freebsd	15.0	p8	All	All

Source	Vendor	Product	Version	Platforms
CNA	FreeBSD	FreeBSD	affected 15.0-RELEASE p9 release	Not specified
CNA	FreeBSD	FreeBSD	affected 14.4-RELEASE p5 release	Not specified
CNA	FreeBSD	FreeBSD	affected 14.3-RELEASE p14 release	Not specified

Reference	Source	Link	Tags
security.freebsd.org/advisories/FreeBSD-SA-26:23.bsdinstall.asc	[email protected]	security.freebsd.org	Vendor Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

CNA: Austin Ralls (en)

There are currently no legacy QID mappings associated with this CVE.