Description
A flaw was found in dracut. A remote attacker on the adjacent network can exploit this vulnerability by providing specially crafted DHCP (Dynamic Host Configuration Protocol) options, such as a malicious hostname, to a system using dracut's legacy DHCP path. These options are improperly handled and written into temporary shell scripts without proper escaping, leading to command injection. This allows the attacker to achieve root code execution within the initramfs, potentially compromising the system's boot and network behavior.
Published: 2026-06-10
Score: 7.5 High
EPSS: 1.1% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker on the adjacent network can supply malicious DHCP options, such as an unwieldy hostname, to a system deploying dracut’s legacy DHCP path. These options are written into temporary shell scripts without escaping, triggering command injection and allowing the attacker to run arbitrary code as root while the system is booting. The attacker can compromise the boot process, alter network settings, and gain persistent control.

Affected Systems

Red Hat Enterprise Linux 10, Red Hat Enterprise Linux 9, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 6, Red Hat Hardened Images, Red Hat OpenShift Container Platform 4, and the Red Hat Hummingbird 1 image.

Risk and Exploitability

The flaw carries a CVSS score of 7.5, classifying it as high severity. Exploitation requires an attacker to control a DHCP server on a neighbouring network segment and requires the target to use DHCP during its initramfs phase. The EPSS score is < 1%, indicating a very low but non-zero probability, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is remote but constrained to nearby networks, making the risk significant for systems that must boot with DHCP in potentially untrusted environments.

Generated by OpenCVE AI on June 18, 2026 at 03:43 UTC.

Remediation

Vendor Workaround

To mitigate this issue, ensure that systems configured to obtain network settings via DHCP in the initramfs are only booted on trusted networks. This vulnerability requires an attacker to control a DHCP server on the adjacent network segment. If network configuration via DHCP is not strictly necessary during the initramfs phase, consider using static network configuration.


OpenCVE Recommended Actions

  • Configure the initramfs to use static network settings or disable the legacy DHCP path
  • Boot the system only on trusted networks or secure the network segment so that the DHCP server cannot be controlled by an attacker
  • Limit DHCP service to trusted IP ranges and monitor for unauthorized DHCP servers during the initramfs stage

Generated by OpenCVE AI on June 18, 2026 at 03:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 27 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
References

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:10.2
cpe:/o:redhat:enterprise_linux:8::baseos
References

Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:9 cpe:/a:redhat:enterprise_linux:9::appstream
cpe:/o:redhat:enterprise_linux:9::baseos
References

Tue, 16 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Fri, 12 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 11 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat dracut
Redhat hardened Images
Redhat openshift Container Platform
Vendors & Products Redhat dracut
Redhat hardened Images
Redhat openshift Container Platform

Thu, 11 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Important


Wed, 10 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Description A flaw was found in dracut. A remote attacker on the adjacent network can exploit this vulnerability by providing specially crafted DHCP (Dynamic Host Configuration Protocol) options, such as a malicious hostname, to a system using dracut's legacy DHCP path. These options are improperly handled and written into temporary shell scripts without proper escaping, leading to command injection. This allows the attacker to achieve root code execution within the initramfs, potentially compromising the system's boot and network behavior.
Title Dracut: dracut: root code execution via dhcp options command injection
First Time appeared Redhat
Redhat enterprise Linux
Redhat hummingbird
Redhat openshift
Weaknesses CWE-78
CPEs cpe:/a:redhat:hummingbird:1
cpe:/a:redhat:openshift:4
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
Redhat hummingbird
Redhat openshift
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Redhat Dracut Enterprise Linux Hardened Images Hummingbird Openshift Openshift Container Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-30T12:11:04.792Z

Reserved: 2026-04-23T04:58:44.915Z

Link: CVE-2026-6893

cve-icon Vulnrichment

Updated: 2026-06-30T03:18:33.061Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-10T20:17:29.807

Modified: 2026-06-16T19:17:05.343

Link: CVE-2026-6893

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-10T19:39:00Z

Links: CVE-2026-6893 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T03:45:05Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')