Description
OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6, a vulnerability in the hotplug_call function allows an attacker to bypass environment variable filtering and inject an arbitrary PATH variable, potentially leading to privilege escalation. The function is intended to filter out sensitive environment variables like PATH when executing hotplug scripts in /etc/hotplug.d, but a bug using strcmp instead of strncmp causes the filter to compare the full environment string (e.g., PATH=/some/value) against the literal "PATH", so the match always fails. As a result, the PATH variable is never excluded, enabling an attacker to control which binaries are executed by procd-invoked scripts running with elevated privileges. This issue has been fixed in version 24.10.6.
Published: 2026-03-19
Score: 1.8 Low
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Patch Immediately
AI Analysis

Impact

The hotplug_call function in OpenWrt is designed to execute scripts in /etc/hotplug.d with elevated privileges, filtering out sensitive environment variables such as PATH. The bug uses strcmp instead of strncmp, causing the comparison to always fail and the PATH variable to remain unfiltered. An attacker can thus inject a custom PATH and control which binaries are executed by procd‑invoked scripts, leading to privilege escalation. This represents a classic string comparison flaw (CWE‑1025) and unauthorized privilege escalation (CWE‑269).

Affected Systems

OpenWrt, the Linux operating system for embedded devices, is affected in all releases prior to 24.10.6. The vulnerability affects the core procd component and the hotplug mechanism used across the platform. Users running an older OpenWrt build should verify their version and consider an upgrade.

Risk and Exploitability

The CVSS score is 1.8, indicating a low severity, and the EPSS score is less than 1 %, suggesting a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Likely attack vectors require local access or the ability to place malicious content in /etc/hotplug.d, which is typically restricted. An attacker who can write hotplug scripts or alter environment variables would be able to execute arbitrary binaries with elevated privileges, but remote exploitation without local access is unlikely.

Generated by OpenCVE AI on March 23, 2026 at 20:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenWrt to version 24.10.6 or newer.

Generated by OpenCVE AI on March 23, 2026 at 20:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:openwrt:openwrt:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 20 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Openwrt
Openwrt openwrt
Vendors & Products Openwrt
Openwrt openwrt

Fri, 20 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1025
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

threat_severity

Important

Thu, 19 Mar 2026 22:45:00 +0000

Type Values Removed Values Added
Description OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6, a vulnerability in the hotplug_call function allows an attacker to bypass environment variable filtering and inject an arbitrary PATH variable, potentially leading to privilege escalation. The function is intended to filter out sensitive environment variables like PATH when executing hotplug scripts in /etc/hotplug.d, but a bug using strcmp instead of strncmp causes the filter to compare the full environment string (e.g., PATH=/some/value) against the literal "PATH", so the match always fails. As a result, the PATH variable is never excluded, enabling an attacker to control which binaries are executed by procd-invoked scripts running with elevated privileges. This issue has been fixed in version 24.10.6.
Title OpenWrt procd PATH Environment Variable Filter Bypass via Incorrect String Comparison Leads to Privilege Escalation
Weaknesses CWE-187
CWE-269
CWE-74
References
Metrics cvssV4_0

{'score': 1.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openwrt Openwrt
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T18:09:36.205Z

Reserved: 2026-03-06T00:04:56.699Z

Link: CVE-2026-30874

cve-icon Vulnrichment

Updated: 2026-03-20T17:13:08.007Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T23:16:43.847

Modified: 2026-03-23T19:26:05.670

Link: CVE-2026-30874

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-19T22:36:04Z

Links: CVE-2026-30874 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:54:23Z

Weaknesses