-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-26:23.bsdinstall Security Advisory
The FreeBSD Project
Topic: Remote code execution via installer Wi-Fi access point scans
Category: core
Module: bsdinstall
Announced: 2026-05-20
Credits: Austin Ralls
Affects: All supported versions of FreeBSD.
Corrected: 2026-05-20 19:36:43 UTC (stable/15, 15.0-STABLE)
2026-05-20 19:39:37 UTC (releng/15.0, 15.0-RELEASE-p9)
2026-05-20 19:38:03 UTC (stable/14, 14.4-STABLE)
2026-05-20 19:40:02 UTC (releng/14.4, 14.4-RELEASE-p5)
2026-05-20 19:40:40 UTC (releng/14.3, 14.3-RELEASE-p14)
CVE Name: CVE-2026-45255
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
bsdinstall and bsdconfig are utilities that provide an interactive
configuration mechanism for FreeBSD. Among other functionality, they can be
used to configure FreeBSD to automatically join a Wi-Fi network.
II. Problem Description
When bsdinstall or bsdconfig are prompted to scan for nearby Wi-Fi networks,
they build up a list of network names and use bsddialog(1) to prompt the user
to select a network. This is implemented using a shell script, and the code
which handled network names was not careful to prevent expansion by the
shell. As a result, a suitably crafted network name can be used to execute
commands via a subshell.
III. Impact
The problem can be exploited to execute code as root on the system running
bsdinstall or bsdconfig. The attacker would need to create an access point
with a specially crafted name and be within range of a Wi-Fi scan. Note that
bsdinstall and bsdconfig are vulnerable as soon as the user prompts them to
scan for nearby networks; they do not need to actually select the malicious
network.
IV. Workaround
Avoid using bsdinstall or bsdconfig to scan for Wi-Fi networks, and instead
configure Wi-Fi manually.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Perform one of the following:
1) To update your vulnerable system installed from base system packages:
Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64
platforms, which were installed using base system packages, can be updated
via the pkg(8) utility:
# pkg upgrade -r FreeBSD-base
2) To update your vulnerable system installed from binary distribution sets:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms
which were not installed using base system packages can be updated via the
freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 15.x]
# fetch https://security.FreeBSD.org/patches/SA-26:23/bsdinstall-15.patch
# fetch https://security.FreeBSD.org/patches/SA-26:23/bsdinstall-15.patch.asc
# gpg --verify bsdinstall-15.patch.asc
[FreeBSD 14.x]
# fetch https://security.FreeBSD.org/patches/SA-26:23/bsdinstall-14.patch
# fetch https://security.FreeBSD.org/patches/SA-26:23/bsdinstall-14.patch.asc
# gpg --verify bsdinstall-14.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in .
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/15/ 6f5674b97fd6 stable/15-n283646
releng/15.0/ b89f48ade920 releng/15.0-n281046
stable/14/ f15df0adbcd2 stable/14-n274170
releng/14.4/ dd50cc216e4d releng/14.4-n273709
releng/14.3/ 9cb0be8381f7 releng/14.3-n271509
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat
Or visit the following URL, replacing NNNNNN with the hash:
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
The latest revision of this advisory is available at
-----BEGIN PGP SIGNATURE-----
iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKH8bFIAAAAAABAAO
bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvTloP/0369bPHpZf0yt9C2VEk
NyOeFq+58zQGrz+RRrXA6Vg2xNdaD3fcjpVzAoqzscuE2T7VqZkpi6cS+cbzEE40
NXX+d7qPgd5udqJR4gL8+90KWj7yQ9Wl0tnbV8wTLE6km/Dma+MXuDJrIqUl8Tsb
q9hXGPfeymptS2vkR1Nj3VxEhDg0CCQz3bGD1sln7Oj63amX8HkHO9MwW8zHTyGj
pcMqEF2sN3Zz0WyyaBf5XS9G0EP0BpicDIcF1NiwYbPi0rlA/nU/zjACfao7lEJk
/XCq/iBKQsOiicvNGhoms/ku4YLNQv/L40FSJFNm8wmUsJD4fh6ll2+5Rm88666e
gJUcBiLEzlKFogiel4JLqXMBaAZseV6Py8B+puAYh2eFCa/3aF6w2QppMj4jIHCL
xEC/XUoBXN+34riiOCkPuSPqmgktvw7oZOBuk5DpV6qt7kdkInZ9i4HQnR13dhlF
vLW88oyuO+2dUn+LiLaHi6f7gxkHcgyOOa/N60D95E9+d6Aop9otyMxNRFbSiQ7I
x13B4j9ONtdAwL0uYJ+HPNHIfGTBHtpFzt62JfKdWqbSa5oVQrU5aq6wfMjMVupI
sYCq+XNTN0MVr4iHowDPqwuEi0+RBoPOQPIXFZRfJr4uTdeim5dzX6fjfe95KIps
3nJWEVEXVF/FiFWL3C+Lk3Cv
=Y3q0
-----END PGP SIGNATURE-----