CVE-2026-25740 is a vulnerability classified under CWE-250 (Execution with Unnecessary Privileges) affecting the NixOS nixpkgs distribution, specifically versions 25.05 and earlier. The issue centers on the 'captive-browser' feature, which launches a dedicated Chrome instance to facilitate captive portal authentication without modifying DNS settings. When this feature is enabled, any user on the system can execute arbitrary commands with the CAP_NET_RAW capability. This Linux capability allows binding to privileged network ports (ports below 1024) and the ability to spoof network traffic, including localhost communications from privileged services. The vulnerability arises because the captive-browser process grants more privileges than necessary, enabling local users with limited privileges to escalate their capabilities to perform network-level attacks or interfere with privileged services. Exploitation requires local access and partial privileges (PR:L) but does not require user interaction (UI:N). The CVSS 4.0 base score is 5.8, reflecting a medium severity due to the moderate impact on availability and high impact on confidentiality, combined with the ease of exploitation by local users. The vulnerability is fixed in NixOS versions 25.11 and 26.05. No known exploits have been reported in the wild, but the potential for misuse in multi-user or shared environments is significant. The issue highlights the risks of granting unnecessary capabilities to processes intended for network authentication tasks.

For European organizations, this vulnerability poses a risk primarily in environments where NixOS is deployed with the captive-browser feature enabled, especially in multi-user systems such as shared workstations, public kiosks, or institutional environments. An attacker with local access could exploit this vulnerability to gain CAP_NET_RAW privileges, enabling them to bind to privileged ports and spoof network traffic, potentially intercepting or manipulating communications with privileged services. This could lead to unauthorized access, data interception, or disruption of network services. Although the vulnerability does not allow remote exploitation, insider threats or compromised user accounts could leverage it to escalate privileges and move laterally within networks. Organizations relying on captive portals for network access control may see increased risk if attackers manipulate network authentication flows. The impact on confidentiality and availability is notable, while integrity risks depend on the attacker’s subsequent actions. Given the medium CVSS score and local access requirement, the threat is moderate but should not be underestimated in sensitive or regulated environments common in Europe.

European organizations should immediately upgrade NixOS installations to versions 25.11 or later, where the vulnerability is patched. If upgrading is not immediately feasible, administrators should disable the captive-browser feature to eliminate the attack vector. Restrict captive-browser usage to trusted, minimal-privilege users and enforce strict access controls on systems running this feature. Employ Linux security modules such as SELinux or AppArmor to confine the captive-browser process and limit its capabilities, particularly restricting CAP_NET_RAW. Regularly audit user privileges and monitor for unusual network activity indicative of spoofing or unauthorized binding to privileged ports. Implement network segmentation to isolate critical services from potentially compromised hosts. Additionally, maintain up-to-date intrusion detection systems to detect anomalous network behaviors that could result from exploitation attempts. Finally, educate users about the risks of local privilege escalation and enforce strong authentication and endpoint security policies to reduce the likelihood of initial compromise.