MNBSD-2026-15: Incorrect libcap_net limitation list manipulation

Severity: Unknown

Affected Package: libcap_net

Summary: Incorrect libcap_net limitation list manipulation

Description

libcasper(3) allows Capsicum-sandboxed applications to define and use system interfaces which are otherwise not available in a capability sandbox, through implementing special services. One of these services, libcap_net, enables networking capabilities within the restricted environment. Casper services allow the application to define fine-grained limits on each operation handled by the service. Each service maintains a specific list of permitted operations. Certain operations can be further restricted by specifying an explicit list of allowed names. For example, libcap_net allows the application to limit the addresses to which the application may bind or connect. If it attempts to use libcap_net to bind or connect to addresses outside the allowed list, the operation will fail. In the case of the cap_net service, when a key present in the old limit was omitted from the new limit, the missing key was treated as "allow any" instead of being rejected. In certain scenarios, an application that had previously restricted a subset of network operations could ask for a new limit that extended the permissions of the process.

Affected Versions

libcap_net

Specific versions:

Recommendations

No specific recommendations provided.

References

Additional Information

Aliases: CVE-2026-45254

Published: May 20, 2026
Last Modified: May 20, 2026