CVE-2026-25740 identifies a security flaw in the NixOS nixpkgs package, specifically affecting the captive-browser feature in versions 25.05 and earlier. The captive-browser is designed as a dedicated Chrome instance to handle captive portal logins without altering DNS settings. However, when enabled, it grants any system user the CAP_NET_RAW capability, which is a powerful Linux capability allowing raw network access. This capability enables users to bind to privileged network ports (ports below 1024), spoof localhost traffic, and potentially interfere with privileged services that rely on localhost communication. The vulnerability is classified under CWE-250, indicating execution with unnecessary privileges, meaning the captive-browser process runs with more privileges than strictly necessary. Exploiting this flaw requires local access and a user with at least some privileges on the system but does not require user interaction. The CVSS 4.0 score is 5.8 (medium severity), reflecting the moderate impact and exploit complexity. The vulnerability compromises system integrity and network security by enabling privilege escalation and network spoofing attacks. The issue has been addressed in NixOS versions 25.11 and 26.05, where the captive-browser no longer grants CAP_NET_RAW to unprivileged users. No public exploits have been reported yet, but the risk remains significant for environments where captive-browser is enabled and multiple users have system access.

For European organizations, this vulnerability could lead to unauthorized privilege escalation and network spoofing on systems running vulnerable NixOS versions with captive-browser enabled. Attackers with local access could bind to privileged ports, potentially intercept or manipulate network traffic intended for local services, and disrupt or impersonate critical system components. This could compromise system integrity, allow lateral movement within networks, or facilitate further attacks such as man-in-the-middle or denial of service. Organizations relying on NixOS for network infrastructure, gateways, or multi-user environments are particularly at risk. The impact is heightened in environments with shared user access or where captive portals are used extensively, such as universities, enterprises, or public institutions. Although no remote exploitation is indicated, insider threats or compromised local accounts could exploit this vulnerability to escalate privileges and disrupt network operations.

European organizations should immediately upgrade NixOS installations to version 25.11 or later, where the vulnerability is fixed. If upgrading is not immediately possible, disable the captive-browser feature to prevent granting CAP_NET_RAW capabilities to unprivileged users. Implement strict access controls to limit local user accounts and privileges, ensuring only trusted users have system access. Employ monitoring for unusual network activity, especially binding to privileged ports or spoofed localhost traffic. Use Linux security modules like SELinux or AppArmor to restrict capabilities granted to processes. Conduct regular audits of system capabilities and privilege assignments. Educate system administrators about the risks of enabling captive-browser in multi-user environments. Finally, maintain up-to-date system inventories to quickly identify and remediate vulnerable systems.