diff --git a/CHANGELOG.md b/CHANGELOG.md
index c944cd749..a2dfd29e9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,6 +13,7 @@ FEATURES:
 
 __BACKWARDS INCOMPATIBILITIES:__
  * csi: The `attachment_mode` and `access_mode` field are required for `volume` blocks in job specifications. Registering a volume requires at least one `capability` block with the `attachment_mode` and `access_mode` fields set. [[GH-10330](https://github.com/hashicorp/nomad/issues/10330)]
+ * drivers/exec+java: Reduce set of linux capabilities enabled by default [[GH-10600](https://github.com/hashicorp/nomad/pull/10600)]
  * licensing: Enterprise licenses are no longer stored in raft or synced between servers. Loading the Enterprise license from disk or environment is required. The `nomad license put` command has been removed. [[GH-10458](https://github.com/hashicorp/nomad/issues/10458)]
 
 SECURITY:
diff --git a/website/content/docs/drivers/docker.mdx b/website/content/docs/drivers/docker.mdx
index 3c202e107..16e248be7 100644
--- a/website/content/docs/drivers/docker.mdx
+++ b/website/content/docs/drivers/docker.mdx
@@ -824,7 +824,7 @@ plugin "docker" {
 ```
 
   which is the same list of capabilities allowed by [docker by default][docker_caps]
-  (sans [`NET_RAW`][no_net_raw]). Allows the operator to control which capabilities can be obtained
+  (without [`NET_RAW`][no_net_raw]). Allows the operator to control which capabilities can be obtained
   by tasks using [`cap_add`][cap_add] and [`cap_drop`][cap_drop] options. Supports
   the value `"all"` as a shortcut for allow-listing all capabilities supported by
   the operating system.
diff --git a/website/content/docs/drivers/exec.mdx b/website/content/docs/drivers/exec.mdx
index df557b7c7..065693233 100644
--- a/website/content/docs/drivers/exec.mdx
+++ b/website/content/docs/drivers/exec.mdx
@@ -167,7 +167,7 @@ able to make use of IPC features, like sending unexpected POSIX signals.
 ```
 
   which is modeled after the capabilities allowed by [docker by default][docker_caps]
-  (sans [`NET_RAW`][no_net_raw]). Allows the operator to control which capabilities
+  (without [`NET_RAW`][no_net_raw]). Allows the operator to control which capabilities
   can be obtained by tasks using [`cap_add`][cap_add] and [`cap_drop`][cap_drop] options.
   Supports the value `"all"` as a shortcut for allow-listing all capabilities supported
   by the operating system.
diff --git a/website/content/docs/drivers/java.mdx b/website/content/docs/drivers/java.mdx
index f7e180a52..ad0957dbf 100644
--- a/website/content/docs/drivers/java.mdx
+++ b/website/content/docs/drivers/java.mdx
@@ -167,7 +167,7 @@ able to make use of IPC features, like sending unexpected POSIX signals.
 ```
 
   which is modeled after the capabilities allowed by [docker by default][docker_caps]
-  (sans [`NET_RAW`][no_net_raw]). Allows the operator to control which capabilities
+  (without [`NET_RAW`][no_net_raw]). Allows the operator to control which capabilities
   can be obtained by tasks using [`cap_add`][cap_add] and [`cap_drop`][cap_drop] options.
   Supports the value `"all"` as a shortcut for allow-listing all capabilities supported
   by the operating system.
diff --git a/website/content/docs/upgrade/upgrade-specific.mdx b/website/content/docs/upgrade/upgrade-specific.mdx
index e74d16f3c..0a5c1ac61 100644
--- a/website/content/docs/upgrade/upgrade-specific.mdx
+++ b/website/content/docs/upgrade/upgrade-specific.mdx
@@ -60,20 +60,21 @@ already explicitly set `CONSUL_HTTP_ADDR` then it will not get overridden.
 
 Following the security [remediation][no_net_raw] in Nomad versions 0.12.12, 1.0.5,
 and 1.1.0-rc1, the `exec` and `java` task drivers will additionally no longer enable
-the following linux capabilities by default:
+the following linux capabilities by default.
 
 ```
 AUDIT_CONTROL  AUDIT_READ  BLOCK_SUSPEND  DAC_READ_SEARCH  IPC_LOCK  IPC_OWNER  LEASE
-LINUX_IMMUTABLE  MAC_ADMIN  MAC_OVERRIDE  NET_ADMIN  NET_BROADCAST  SYS_ADMIN
+LINUX_IMMUTABLE  MAC_ADMIN  MAC_OVERRIDE  NET_ADMIN  NET_BROADCAST  NET_RAW  SYS_ADMIN
 SYS_BOOT  SYSLOG  SYS_MODULE  SYS_NICE  SYS_PACCT  SYS_PTRACE  SYS_RAWIO  SYS_RESOURCE
 SYS_TIME  SYS_TTY_CONFIG  WAKE_ALARM
 ```
 
-The capabilities now enabled by default are modeled after Docker default [`linux capabilities`]:
+The capabilities now enabled by default are modeled after Docker default
+[`linux capabilities`] (excluding `NET_RAW`).
 
 ```
 AUDIT_WRITE  CHOWN  DAC_OVERRIDE  FOWNER  FSETID  KILL  MKNOD  NET_BIND_SERVICE
-NET_RAW  SETFCAP  SETGID  SETPCAP  SETUID  SYS_CHROOT
+SETFCAP  SETGID  SETPCAP  SETUID  SYS_CHROOT
 ```
 
 A new `allow_caps` plugin configuration parameter for [`exec`][allow_caps_exec]