Home / mailings FreeBSD Security Advisory FreeBSD-SA-26:23.bsdinstall
Posted on 21 May 2026
FreeBSD security notificat=============================================================================FreeBSD-SA-26:23.bsdinstall Security Advisory
The FreeBSD Project
Topic: Remote code execution via installer Wi-Fi access point scans
Category: core
Module: bsdinstall
Announced: 2026-05-20
Credits: Austin Ralls
Affects: All supported versions of FreeBSD.
Corrected: 2026-05-20 19:36:43 UTC (stable/15, 15.0-STABLE)
2026-05-20 19:39:37 UTC (releng/15.0, 15.0-RELEASE-p9)
2026-05-20 19:38:03 UTC (stable/14, 14.4-STABLE)
2026-05-20 19:40:02 UTC (releng/14.4, 14.4-RELEASE-p5)
2026-05-20 19:40:40 UTC (releng/14.3, 14.3-RELEASE-p14)
CVE Name: CVE-2026-45255
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
bsdinstall and bsdconfig are utilities that provide an interactive
configuration mechanism for FreeBSD. Among other functionality, they can be
used to configure FreeBSD to automatically join a Wi-Fi network.
II. Problem Description
When bsdinstall or bsdconfig are prompted to scan for nearby Wi-Fi networks,
they build up a list of network names and use bsddialog(1) to prompt the user
to select a network. This is implemented using a shell script, and the code
which handled network names was not careful to prevent expansion by the
shell. As a result, a suitably crafted network name can be used to execute
commands via a subshell.
III. Impact
The problem can be exploited to execute code as root on the system running
bsdinstall or bsdconfig. The attacker would need to create an access point
with a specially crafted name and be within range of a Wi-Fi scan. Note that
bsdinstall and bsdconfig are vulnerable as soon as the user prompts them to
scan for nearby networks; they do not need to actually select the malicious
network.
IV. Workaround
Avoid using bsdinstall or bsdconfig to scan for Wi-Fi networks, and instead
configure Wi-Fi manually.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Perform one of the following:
1) To update your vulnerable system installed from base system packages:
Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64
platforms, which were installed using base system packages, can be updated
via the pkg(8) utility:
# pkg upgrade -r FreeBSD-base
2) To update your vulnerable system installed from binary distribution sets:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms
which were not installed using base system packages can be updated via the
freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 15.x]
# fetch https://security.FreeBSD.org/patches/SA-26:23/bsdinstall-15.patch
# fetch https://security.FreeBSD.org/patches/SA-26:23/bsdinstall-15.patch.asc
# gpg --verify bsdinstall-15.patch.asc
[FreeBSD 14.x]
# fetch https://security.FreeBSD.org/patches/SA-26:23/bsdinstall-14.patch
# fetch https://security.FreeBSD.org/patches/SA-26:23/bsdinstall-14.patch.asc
# gpg --verify bsdinstall-14.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/15/ 6f5674b97fd6 stable/15-n283646
releng/15.0/ b89f48ade920 releng/15.0-n281046
stable/14/ f15df0adbcd2 stable/14-n274170
releng/14.4/ dd50cc216e4d releng/14.4-n273709
releng/14.3/ 9cb0be8381f7 releng/14.3-n271509
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat <commit hash>
Or visit the following URL, replacing NNNNNN with the hash:
<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
<URL:https://www.cve.org/CVERecord?id=CVE-2026-45255>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-26:23.bsdinstall.asc>
