Bug 2459963 (CVE-2026-6893)

Summary: CVE-2026-6893 dracut: dracut: Root code execution via DHCP options command injection
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: rhel-process-autobot, security-response-team, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in dracut. A remote attacker on the adjacent network can exploit this vulnerability by providing specially crafted DHCP (Dynamic Host Configuration Protocol) options, such as a malicious hostname, to a system using dracut's legacy DHCP path. These options are improperly handled and written into temporary shell scripts without proper escaping, leading to command injection. This allows the attacker to achieve root code execution within the initramfs, potentially compromising the system's boot and network behavior.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2026-06-10   

Description OSIDB Bzimport 2026-04-21 02:37:47 UTC
AI_ONLY_REPORT
package: RHEL_base/dracut-107-4.el10
[Security] Command Injection via DHCP Options in dhclient-script.sh
Hello dracut maintainers,
We believe that we have discovered a potential security vulnerability in this repository: command injection in the legacy DHCP path (`modules.d/35network-legacy/dhclient-script.sh`), leading to root code execution in initramfs.


Vulnerability details






DHCP-provided values are written into temporary shell scripts and later sourced as root, without safe shell escaping.
```sh
modules.d/35network-legacy/dhclient-script.sh
[ -n "$hostname" ] && echo "echo ${hostname%."$domain"}${domain:+.$domain} > /proc/sys/kernel/hostname" > /tmp/net."$netif".hostname
...
echo ip route replace default via "$main_gw" dev "$netif" >> /tmp/net."$netif".gw
...
echo "/sbin/ip route replace $temp_result"
```


These generated files are then sourced:
```sh
modules.d/45net-lib/net-lib.sh
[ -e /tmp/net."$netif".hostname ] && . /tmp/net."$netif".hostname
[ -e /tmp/dhclient."$netif".dhcpopts ] && . /tmp/dhclient."$netif".dhcpopts
[ -e /tmp/net."$netif".gw ] && . /tmp/net."$netif".gw
```


And initqueue jobs are sourced as shell code:
```sh
modules.d/99base/init.sh
for job in "$hookdir"/initqueue/*.sh; do
 job=$job . "$job"
done
```


A malicious DHCP server can provide `host-name` (and potentially routing-related options) containing shell metacharacters, which are persisted into these scripts and executed as root.
Relevant CWEs:
CWE-78: Improper Neutralization of Special Elements used in an OS Command.

CWE-94: Improper Control of Generation of Code (dynamic shell script generation from untrusted input).




Reproduction steps






1. Build/initramfs boot path that uses `35network-legacy` and `dhclient` (`ip=dhcp`, `rd.neednet=1`).
2. On the same L2 segment, run a DHCP server that returns a malicious host-name, for example: 
`host-name = "pwn; touch /tmp/dracut_poc #"`
3. Boot the target so DHCP reaches `BOUND`.
4. Observe generated script content (in initramfs shell): 
`/tmp/net.<iface>.hostname` contains injected shell syntax.
5. Wait for `setup_net` / initqueue processing; verify `/tmp/dracut_poc` exists, proving command execution as root.


Proposed fix (example patch)






```diff
diff --git a/modules.d/35network-legacy/dhclient-script.sh b/modules.d/35network-legacy/dhclient-script.sh
@@ -72,7 +72,10 @@ setup_interface() {
[ -n "$hostname" ] && echo "echo ${hostname%."$domain"}${domain:+.$domain} > /proc/sys/kernel/hostname" > /tmp/net."$netif".hostname
+ if [ -n "$hostname" ]; then
+ safe_hostname=$(printf '%s' "${hostname%."$domain"}${domain:+.$domain}")
+ printf 'echo %q > /proc/sys/kernel/hostname\n' "$safe_hostname" > /tmp/net."$netif".hostname
+ fi
@@ -54,7 +57,7 @@ setup_interface() {

echo ip route replace default via "$main_gw" dev "$netif" >> /tmp/net."$netif".gw
+ printf 'ip route replace default via %q dev %q\n' "$main_gw" "$netif" >> /tmp/net."$netif".gw
 if [ -n "$other_gw" ]; then
 for g in $other_gw; do

echo ip route add default via "$g" dev "$netif" >> /tmp/net."$netif".gw
+ printf 'ip route add default via %q dev %q\n' "$g" "$netif" >> /tmp/net."$netif".gw
 done
 fi
@@ -159,7 +162,7 @@ parse_option_121() {

echo "/sbin/ip route replace $temp_result"
+ printf '/sbin/ip route replace %q\n' "$temp_result"
 done
 }
```


Longer-term, avoiding dynamic shell script generation for DHCP-derived values would be safer.


CVSS 3.1 estimate






*Score:* 8.8 (HIGH) 

*Vector:* `CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`


Brief rationale:
*AV:A*: attacker must be on adjacent network (DHCP domain).

*AC:L*: straightforward malicious DHCP response.

*PR:N*: no prior auth required.

*UI:N*: no user interaction.

*S:U*: impact within same trust scope.

*C/I/A:H*: root command execution in initramfs can fully compromise boot/network behavior and availability.


------
This report was generated using AI technology. Always review AI-generated content prior to use

Comment 2 errata-xmlrpc 2026-06-17 09:23:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:26532 https://access.redhat.com/errata/RHSA-2026:26532

Comment 3 errata-xmlrpc 2026-06-17 09:35:59 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:26534 https://access.redhat.com/errata/RHSA-2026:26534

Comment 4 errata-xmlrpc 2026-06-17 10:08:58 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:26533 https://access.redhat.com/errata/RHSA-2026:26533