diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c
index 20a9b8176c2..90f7311b820 100644
--- a/sys/kern/kern_exec.c
+++ b/sys/kern/kern_exec.c
@@ -441,10 +441,10 @@ interpret:
 	} else {
 		AUDIT_ARG_FD(args->fd);
 		/*
-		 * Some might argue that CAP_MMAP should also be required here;
-		 * such arguments will be entertained.
+		 * Some might argue that CAP_READ and/or CAP_MMAP should also
+		 * be required here; such arguments will be entertained.
 		 *
-		 * Descriptors opened only with O_EXEC are allowed.
+		 * Descriptors opened only with O_EXEC or O_RDONLY are allowed.
 		 */
 		error = fgetvp_exec(td, args->fd, CAP_FEXECVE, &binvp);
 		if (error)