CVE-2026-6893
Awaiting Analysis Awaiting Analysis - Queue
Command Injection in Dracut via Malicious DHCP Options

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: Red Hat, Inc.

Description
A flaw was found in dracut. A remote attacker on the adjacent network can exploit this vulnerability by providing specially crafted DHCP (Dynamic Host Configuration Protocol) options, such as a malicious hostname, to a system using dracut's legacy DHCP path. These options are improperly handled and written into temporary shell scripts without proper escaping, leading to command injection. This allows the attacker to achieve root code execution within the initramfs, potentially compromising the system's boot and network behavior.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-11
AI Q&A
2026-06-11
EPSS Evaluated
N/A
NVD
CVE-2026-6893
EUVD
EUVD-2026-36110
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
redhat dracut *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-6893 is a security vulnerability in the dracut package that allows a remote attacker on the adjacent network to execute arbitrary root commands on a system during its boot process.

The attacker exploits this by sending specially crafted DHCP options, such as a malicious hostname, to the system using dracut's legacy DHCP path. These DHCP-provided values are improperly handled and written into temporary shell scripts without proper escaping.

Because these scripts are sourced as root during the initramfs stage of booting, the injected commands get executed with root privileges, potentially compromising the system's boot and network behavior.

Impact Analysis

This vulnerability can lead to full root code execution on the affected system during its boot process.

An attacker on the adjacent network can exploit this by providing malicious DHCP options, which results in command injection and complete compromise of the system's boot and network behavior.

Such a compromise can allow the attacker to control the system entirely, potentially leading to data theft, system disruption, or further network attacks.

Detection Guidance

This vulnerability involves command injection via specially crafted DHCP options such as malicious hostnames being written into temporary shell scripts without proper escaping.

Detection on your system could involve monitoring or inspecting DHCP traffic for suspicious or unusual DHCP options containing shell metacharacters or unexpected values in options like 'host-name' or routing parameters.

On the system, you could check the contents of temporary shell scripts generated during the initramfs boot process, especially those related to the legacy DHCP path (e.g., modules.d/35network-legacy/dhclient-script.sh), for injected commands or unescaped characters.

Specific commands are not provided in the available resources, but general approaches might include using packet capture tools like tcpdump or Wireshark to capture DHCP traffic and grep or analyze for suspicious DHCP option values.

Mitigation Strategies

Immediate mitigation involves preventing exploitation by avoiding the use of the vulnerable legacy DHCP path in dracut or applying patches that implement safe shell escaping of DHCP options.

Since the vulnerability arises from unescaped DHCP option values being written into shell scripts, applying any available updates or patches that fix this issue by using safe shell escaping (such as using '%q' in printf) is critical.

Additionally, restricting DHCP access to trusted servers only and isolating the system from untrusted adjacent networks can reduce the risk of exploitation.

Compliance Impact

The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6893. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart