Compliance Impact

This vulnerability allows local privilege escalation from the low-privilege pihole account to root, resulting in full root code execution and complete host compromise including confidentiality, integrity, and availability.

Such a compromise could lead to unauthorized access to sensitive data, DNS tampering, persistence, and lateral movement within the network, which may violate data protection requirements under standards like GDPR and HIPAA.

Therefore, if exploited, this vulnerability could negatively impact compliance with regulations that mandate protection of sensitive information and system integrity.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-33727 is a local privilege escalation vulnerability in Pi-hole version 6.4 that allows an attacker with control over the low-privilege "pihole" user account to execute code as the root user.

The "pihole" account is configured with nologin, preventing direct interactive login, but this does not stop code execution as the "pihole" user ID if a Pi-hole component is compromised.

The root cause is that root-run Pi-hole scripts source the file /etc/pihole/versions, which is writable by the "pihole" user due to its ownership and permissions.

An attacker controlling the "pihole" account can modify this file to inject arbitrary shell commands. When root-run Pi-hole scripts source this file, the injected commands execute with root privileges, resulting in full root code execution.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker who has compromised the "pihole" user account to escalate their privileges to root, gaining full control over the affected system.

• Complete host compromise including confidentiality, integrity, and availability.
• Potential DNS tampering, which could redirect or intercept network traffic.
• Persistence on the system, allowing the attacker to maintain access.
• Lateral movement within the network, potentially compromising other systems.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the file /etc/pihole/versions is writable by the low-privilege pihole user account, and by verifying if root-run Pi-hole scripts source this file.

• Check the ownership and permissions of /etc/pihole/versions to confirm it is owned by pihole:pihole with mode 640 or similar.
• Verify if root executes the pihole command periodically via cron jobs.
• A practical test involves appending a harmless command to /etc/pihole/versions as the pihole user and then triggering root execution by running 'pihole -v' or waiting for the cron job.
• Example commands to check permissions and ownership: 'ls -l /etc/pihole/versions'
• Example command to test write access as pihole user: 'sudo -u pihole sh -c "echo test >> /etc/pihole/versions"'
• Trigger root execution by running: 'sudo pihole -v'

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Pi-hole to version 6.4.1 or later, where this vulnerability is fixed.

Additionally, restrict write permissions to the /etc/pihole/versions file so that the pihole user cannot modify it, preventing injection of arbitrary commands.

Review and limit the privileges of the pihole user and monitor root-run Pi-hole scripts and cron jobs for suspicious activity.

Useful 0 Not Useful 0