Security Vulnerabilities
In the case of the cap_net service, when a key present in the old limit was omitted from the new limit, the missing key was treated as "allow any" instead of being rejected.
In certain scenarios, an application that had previously restricted a subset of network operations could ask for a new limit that extended the permissions of the process.
CVSS Score
6.5
EPSS Score
0.001
Published
2026-05-21
When bsdinstall or bsdconfig are prompted to scan for nearby Wi-Fi networks, they build up a list of network names and use bsddialog(1) to prompt the user to select a network. This is implemented using a shell script, and the code which handled network names was not careful to prevent expansion by the shell. As a result, a suitably crafted network name can be used to execute commands via a subshell.
The problem can be exploited to execute code as root on the system running bsdinstall or bsdconfig. The attacker would need to create an access point with a specially crafted name and be within range of a Wi-Fi scan. Note that bsdinstall and bsdconfig are vulnerable as soon as the user prompts them to scan for nearby networks; they do not need to actually select the malicious network.
CVSS Score
7.5
EPSS Score
0.0
Published
2026-05-21
MediaArea MediaInfoLib LXF element parsing heap-based buffer overflow vulnerability
CVSS Score
7.8
EPSS Score
0.0
Published
2026-05-21
libcasper(3) communicates with helper processes via UNIX domain sockets, and uses the select(2) system call to wait for data to become available. However, it does not verify that its socket descriptor fits within select(2)'s descriptor set size limit of FD_SETSIZE (1024).
An attacker able to cause an application using libcasper(3) to allocate large file descriptors, e.g., by opening many descriptors and executing a program which is not careful to close them upon startup, may trigger stack corruption. If the target application runs with setuid root privileges, this could be used to escalate local privileges.
CVSS Score
8.8
EPSS Score
0.0
Published
2026-05-21
Incorrect Behaviour of Views with TCP PROXY Requests
CVSS Score
4.8
EPSS Score
0.0
Published
2026-05-21
Insufficient Validation of Names During AXFR
CVSS Score
6.8
EPSS Score
0.0
Published
2026-05-21
Insufficient Validation of Autoprimary SOA Queries
CVSS Score
7.5
EPSS Score
0.0
Published
2026-05-21
Concurrency and locking defects in GSS-TSIG
CVSS Score
5.9
EPSS Score
0.0
Published
2026-05-21
Insufficient Validation of Member Zone Data May Cause Catalog Zone Transfer to Fail
CVSS Score
4.9
EPSS Score
0.0
Published
2026-05-21
The setcred(2) system call is only available to privileged users. However, before the privilege level of the caller is checked, the user-supplied list of supplementary groups is copied into a fixed-size kernel stack buffer without first validating its length. If the supplied list exceeds the capacity of that buffer, a stack buffer overflow occurs.
Because the bounds check on the supplementary groups list occurs after the kernel stack buffer has already been written, an unprivileged local user may trigger the overflow without holding any special privilege. Successful exploitation may allow an attacker to execute arbitrary code in the context of the kernel, allowing an unprivileged local user to gain elevated privileges on the affected system.
CVSS Score
7.8
EPSS Score
0.0
Published
2026-05-21