From nobody Wed May 20 22:24:12 2026
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gLR0Y0bfNz6fXJN
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Wed, 20 May 2026 22:24:13 +0000 (UTC)
	(envelope-from security-advisories@freebsd.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "freefall.freebsd.org", Issuer "R13" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4gLR0X5MRNz4N3q;
	Wed, 20 May 2026 22:24:12 +0000 (UTC)
	(envelope-from security-advisories@freebsd.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1779315852; h=from:from:reply-to:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc; bh=PhP+Z4H89uK4q1vJShVTYwkuFsB+BX+yUcZ1trMS1SM=;
	b=Uorb6Z/8MnndqaudENfG+8Dcd2ETJtXi1GQzefD6B1tRgvbgDTj/lFbGnjzq41/guQy/aT
	rC5CJs5n+UABz6RQh8Etlev+N1ulr3UrSJPngab/RggvtFGAOGDp7BuiSn0jZIuSXk+4ld
	lhjriwKSkw3b2TR1CzYK10fzsYKo/uF3eiaq1byd+NAaWm8eTcB7XFI0OWkijUFscwmAsd
	bzbiqAHrOoZvB0kl2A9NF5pR8AeburPFX+g4sR2K4/rUlK95HjYo0aaQkgKgl/PS1knR+t
	9ILXanT8FrNqi+ISB7Vv1ZrbfqDyvDPXjbyfr+X6zzqdE/0UEzhRsUTMz/117Q==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1779315852; a=rsa-sha256; cv=none;
	b=IxmlW06lqOwxGD1nC00MVAO3CEbQW3h4tYwVR4myCP+meFrpXJqn90ULebfwHLVn2nOXUc
	BlLDJYc8a8JwPB1fDXiV0gpOydNZr0cFxiFia4+fFfUsVHNXF7C2BiPsl3aFUnlw0oUPyY
	aV50dEBxnHq0/FIkX3rGE/F1SE4+aaHmlt9g9kTHAasDeKPeGlZRxH6PZXrLpsmJsH/VgW
	sMvSyzEXYrbZ1e2lAxWJp2ju6T8SOKroWG0Eav1+HXos2/Saw5UcvWeyu5nMjCuo0ATPvf
	WXwd2zwedJsSdoaPUfrpbEF559so9Fza0/Puzp0VxeGiQ5dLLoNPs1lwAsS8Hg==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1779315852; h=from:from:reply-to:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc;
	bh=PhP+Z4H89uK4q1vJShVTYwkuFsB+BX+yUcZ1trMS1SM=;
	b=QgrjDlEsZTEFmLTEnQWumzMcTCHvkB0PshXIOvjmM+KxS8uoNHWOt8rex9O2UkpJHplXtX
	IDIs76XlO1U1n/GsBdKrKuoWZVuE4abZCM/6OlphyjllStpIjIfg/xZi4G0TaW88DsyeNs
	ZKPQkxVMvyTTrdXM1H8ZP98i2bs4BKcgpUgxew4rwCIzNyeVv8CjgiahkmoJ6iyiGOr6fn
	PM16AP62B0Dijy6Rp53e/0ayP8bz6DZqwD9knKlOYZKL/PbovagQ2TaSI83oTXJrLQALxd
	Gpk6PxNE53ZypwD5TDw41RjGA8ia0k+itKE6ikI9m9Gtr4E3zb4BUlHrkCocUw==
Received: by freefall.freebsd.org (Postfix, from userid 945)
	id B0B9A9BF2; Wed, 20 May 2026 22:24:12 +0000 (UTC)
From: FreeBSD Security Advisories <security-advisories@freebsd.org>
To: FreeBSD Security Advisories <security-advisories@freebsd.org>
Subject: FreeBSD Security Advisory FreeBSD-SA-26:23.bsdinstall
Reply-To: freebsd-security@freebsd.org
Precedence: bulk
Message-Id: <20260520222412.B0B9A9BF2@freefall.freebsd.org>
Date: Wed, 20 May 2026 22:24:12 +0000 (UTC)
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
X-BeenThere: freebsd-security@freebsd.org
Sender: owner-freebsd-security@FreeBSD.org
List-Id: <freebsd-security.FreeBSD.org>
List-Post: <mailto:freebsd-security@FreeBSD.org>
List-Help: <mailto:freebsd-security+help@FreeBSD.org>
List-Subscribe: <mailto:freebsd-security+subscribe@FreeBSD.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@FreeBSD.org>
List-Owner: <mailto:postmaster@FreeBSD.org>
Precedence: list

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-SA-26:23.bsdinstall                                 Security Advisory
                                                          The FreeBSD Project

Topic:          Remote code execution via installer Wi-Fi access point scans

Category:       core
Module:         bsdinstall
Announced:      2026-05-20
Credits:        Austin Ralls
Affects:        All supported versions of FreeBSD.
Corrected:      2026-05-20 19:36:43 UTC (stable/15, 15.0-STABLE)
                2026-05-20 19:39:37 UTC (releng/15.0, 15.0-RELEASE-p9)
                2026-05-20 19:38:03 UTC (stable/14, 14.4-STABLE)
                2026-05-20 19:40:02 UTC (releng/14.4, 14.4-RELEASE-p5)
                2026-05-20 19:40:40 UTC (releng/14.3, 14.3-RELEASE-p14)
CVE Name:       CVE-2026-45255

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.

I.   Background

bsdinstall and bsdconfig are utilities that provide an interactive
configuration mechanism for FreeBSD.  Among other functionality, they can be
used to configure FreeBSD to automatically join a Wi-Fi network.

II.  Problem Description

When bsdinstall or bsdconfig are prompted to scan for nearby Wi-Fi networks,
they build up a list of network names and use bsddialog(1) to prompt the user
to select a network.  This is implemented using a shell script, and the code
which handled network names was not careful to prevent expansion by the
shell.  As a result, a suitably crafted network name can be used to execute
commands via a subshell.

III. Impact

The problem can be exploited to execute code as root on the system running
bsdinstall or bsdconfig.  The attacker would need to create an access point
with a specially crafted name and be within range of a Wi-Fi scan.  Note that
bsdinstall and bsdconfig are vulnerable as soon as the user prompts them to
scan for nearby networks; they do not need to actually select the malicious
network.

IV.  Workaround

Avoid using bsdinstall or bsdconfig to scan for Wi-Fi networks, and instead
configure Wi-Fi manually.

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

Perform one of the following:

1) To update your vulnerable system installed from base system packages:

Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64
platforms, which were installed using base system packages, can be updated
via the pkg(8) utility:

# pkg upgrade -r FreeBSD-base

2) To update your vulnerable system installed from binary distribution sets:

Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms
which were not installed using base system packages can be updated via the
freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

3) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 15.x]
# fetch https://security.FreeBSD.org/patches/SA-26:23/bsdinstall-15.patch
# fetch https://security.FreeBSD.org/patches/SA-26:23/bsdinstall-15.patch.asc
# gpg --verify bsdinstall-15.patch.asc

[FreeBSD 14.x]
# fetch https://security.FreeBSD.org/patches/SA-26:23/bsdinstall-14.patch
# fetch https://security.FreeBSD.org/patches/SA-26:23/bsdinstall-14.patch.asc
# gpg --verify bsdinstall-14.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.

VI.  Correction details

This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:

Branch/path                             Hash                     Revision
- -------------------------------------------------------------------------
stable/15/                              6f5674b97fd6    stable/15-n283646
releng/15.0/                            b89f48ade920  releng/15.0-n281046
stable/14/                              f15df0adbcd2    stable/14-n274170
releng/14.4/                            dd50cc216e4d  releng/14.4-n273709
releng/14.3/                            9cb0be8381f7  releng/14.3-n271509
- -------------------------------------------------------------------------

Run the following command to see which files were modified by a
particular commit:

# git show --stat <commit hash>

Or visit the following URL, replacing NNNNNN with the hash:

<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>

To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:

# git rev-list --count --first-parent HEAD

VII. References

<URL:https://www.cve.org/CVERecord?id=CVE-2026-45255>

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-26:23.bsdinstall.asc>
-----BEGIN PGP SIGNATURE-----

iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKH8bFIAAAAAABAAO
bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvTloP/0369bPHpZf0yt9C2VEk
NyOeFq+58zQGrz+RRrXA6Vg2xNdaD3fcjpVzAoqzscuE2T7VqZkpi6cS+cbzEE40
NXX+d7qPgd5udqJR4gL8+90KWj7yQ9Wl0tnbV8wTLE6km/Dma+MXuDJrIqUl8Tsb
q9hXGPfeymptS2vkR1Nj3VxEhDg0CCQz3bGD1sln7Oj63amX8HkHO9MwW8zHTyGj
pcMqEF2sN3Zz0WyyaBf5XS9G0EP0BpicDIcF1NiwYbPi0rlA/nU/zjACfao7lEJk
/XCq/iBKQsOiicvNGhoms/ku4YLNQv/L40FSJFNm8wmUsJD4fh6ll2+5Rm88666e
gJUcBiLEzlKFogiel4JLqXMBaAZseV6Py8B+puAYh2eFCa/3aF6w2QppMj4jIHCL
xEC/XUoBXN+34riiOCkPuSPqmgktvw7oZOBuk5DpV6qt7kdkInZ9i4HQnR13dhlF
vLW88oyuO+2dUn+LiLaHi6f7gxkHcgyOOa/N60D95E9+d6Aop9otyMxNRFbSiQ7I
x13B4j9ONtdAwL0uYJ+HPNHIfGTBHtpFzt62JfKdWqbSa5oVQrU5aq6wfMjMVupI
sYCq+XNTN0MVr4iHowDPqwuEi0+RBoPOQPIXFZRfJr4uTdeim5dzX6fjfe95KIps
3nJWEVEXVF/FiFWL3C+Lk3Cv
=Y3q0
-----END PGP SIGNATURE-----