Description
A flaw was found in dracut. A remote attacker on the adjacent network can exploit this vulnerability by providing specially crafted DHCP (Dynamic Host Configuration Protocol) options, such as a malicious hostname, to a system using dracut's legacy DHCP path. These options are improperly handled and written into temporary shell scripts without proper escaping, leading to command injection. This allows the attacker to achieve root code execution within the initramfs, potentially compromising the system's boot and network behavior.
Published: 2026-06-10
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker on the adjacent network can supply malicious DHCP options, such as an unwieldy hostname, to a system deploying dracut’s legacy DHCP path. These options are written into temporary shell scripts without escaping, triggering command injection and allowing the attacker to run arbitrary code as root while the system is booting. The attacker can compromise the boot process, alter network settings, and gain persistent control.

Affected Systems

Red Hat Enterprise Linux 10, Red Hat Enterprise Linux 9, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 6, Red Hat Hardened Images, Red Hat OpenShift Container Platform 4, and the Red Hat Hummingbird 1 image.

Risk and Exploitability

The flaw carries a CVSS score of 8.8, classifying it as high severity. Exploitation requires an attacker to control a DHCP server on a neighbouring network segment and requires the target to use DHCP during its initramfs phase. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is remote but constrained to nearby networks, making the risk significant for systems that must boot with DHCP in potentially untrusted environments.

Generated by OpenCVE AI on June 10, 2026 at 21:21 UTC.

Remediation

Vendor Workaround

To mitigate this issue, ensure that systems configured to obtain network settings via DHCP in the initramfs are only booted on trusted networks. This vulnerability requires an attacker to control a DHCP server on the adjacent network segment. If network configuration via DHCP is not strictly necessary during the initramfs phase, consider using static network configuration.

OpenCVE Recommended Actions

  • Apply the latest Red Hat patch for dracut or upgrade to a version where the DHCP options handling is fixed
  • Configure the initramfs to use static network settings or disable the legacy DHCP path
  • Boot the system only on trusted networks or secure the network segment so that the DHCP server cannot be controlled by an attacker

Generated by OpenCVE AI on June 10, 2026 at 21:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Description A flaw was found in dracut. A remote attacker on the adjacent network can exploit this vulnerability by providing specially crafted DHCP (Dynamic Host Configuration Protocol) options, such as a malicious hostname, to a system using dracut's legacy DHCP path. These options are improperly handled and written into temporary shell scripts without proper escaping, leading to command injection. This allows the attacker to achieve root code execution within the initramfs, potentially compromising the system's boot and network behavior.
Title Dracut: dracut: root code execution via dhcp options command injection
First Time appeared Redhat
Redhat enterprise Linux
Redhat hummingbird
Redhat openshift
Weaknesses CWE-78
CPEs cpe:/a:redhat:hummingbird:1
cpe:/a:redhat:openshift:4
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
Redhat hummingbird
Redhat openshift
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Redhat Enterprise Linux Hummingbird Openshift
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-10T19:49:27.553Z

Reserved: 2026-04-23T04:58:44.915Z

Link: CVE-2026-6893

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-10T20:17:29.807

Modified: 2026-06-10T20:22:06.277

Link: CVE-2026-6893

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T21:30:36Z

Weaknesses