Skip to main content

dracut EUVDEUVD-2026-36110

| CVE-2026-6893 HIGH
OS Command Injection (CWE-78)
2026-06-10 redhat GHSA-m789-mmmh-7vqc
7.5
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
7.5 HIGH
AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.5 HIGH

AV:A because attacker must be on the same Layer-2 segment to deliver DHCP; AC:H for the race against the legitimate DHCP server; PR:N/UI:N as boot-time DHCP needs no auth or user action; C/I/A:H from root code execution in initramfs.

3.1 AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
8.8 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Red Hat
8.8 HIGH
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Jun 16, 2026 - 19:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 16, 2026 - 19:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 16, 2026 - 19:22 vuln.today
cvss_changed
CVSS changed
Jun 16, 2026 - 19:22 NVD
8.8 (HIGH) 7.5 (HIGH)
Analysis Generated
Jun 10, 2026 - 20:30 vuln.today
CVE Published
Jun 10, 2026 - 19:49 nvd
HIGH 8.8

DescriptionCVE.org

A flaw was found in dracut. A remote attacker on the adjacent network can exploit this vulnerability by providing specially crafted DHCP (Dynamic Host Configuration Protocol) options, such as a malicious hostname, to a system using dracut's legacy DHCP path. These options are improperly handled and written into temporary shell scripts without proper escaping, leading to command injection. This allows the attacker to achieve root code execution within the initramfs, potentially compromising the system's boot and network behavior.

AnalysisAI

Root command injection in dracut's legacy DHCP path allows adjacent-network attackers to execute arbitrary commands inside the initramfs by sending crafted DHCP options (e.g., malicious hostname) that are written unescaped into temporary shell scripts. The flaw affects Red Hat Enterprise Linux 6 through 10, Red Hat Hardened Images, and OpenShift Container Platform 4, granting full system compromise during early boot. No public exploit identified at time of analysis, and EPSS is low (0.16%, 36th percentile), but SSVC rates technical impact as total.

Technical ContextAI

Dracut is the initramfs generation tool used by Red Hat-family distributions to assemble the minimal root filesystem executed before the real OS boots; its legacy DHCP module configures the network during this early phase by parsing DHCP server responses. The vulnerability is a classic CWE-78 OS Command Injection: DHCP option values (notably the hostname option) are interpolated into temporary shell scripts without quoting or sanitization, so shell metacharacters embedded by an attacker are evaluated by the initramfs shell. Because initramfs runs as PID 1 with full root privileges before SELinux policy and other userspace defenses fully apply, command execution at this stage yields complete control over the boot environment and any secrets unsealed during boot.

RemediationAI

Patch availability per vendor advisory; consult https://access.redhat.com/security/cve/CVE-2026-6893 and the linked errata for the exact fixed dracut RPM version for each RHEL major release and for OpenShift Container Platform 4 node images, then update dracut and regenerate the initramfs with 'dracut -f' so the fix is actually present in the boot image used at next reboot. If immediate patching is not possible, switch hosts off the legacy DHCP path by configuring dracut to use NetworkManager-in-initramfs (rd.neednet=1 with rd.net.dhcp.retry tuned and the 'network-manager' module instead of the legacy 'network' module), which avoids the vulnerable shell-script DHCP handling at the cost of a larger initramfs and a configuration change. As compensating controls, restrict initramfs DHCP to trusted VLANs by enabling DHCP snooping and port-security on access switches, disable PXE/network boot on systems that do not need it (trade-off: loses remote re-provisioning), or hardcode static IP configuration via 'ip=' kernel cmdline arguments for servers that don't require DHCP. Track remediation progress against Red Hat bug https://bugzilla.redhat.com/show_bug.cgi?id=2459963.

CVE-2026-4631 CRITICAL POC
9.8 Apr 07

Remote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h

CVE-2026-4480 CRITICAL POC
9.0 May 26

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft

CVE-2026-14544 CRITICAL
9.8 Jul 03

Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter

CVE-2026-28369 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel

CVE-2026-28368 CRITICAL
9.1 Mar 27

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-28367 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator

CVE-2026-11610 HIGH
8.8 Jul 07

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD

CVE-2026-14474 HIGH
8.8 Jul 07

Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user

CVE-2026-52720 HIGH
8.8 Jun 15

Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co

CVE-2026-5674 HIGH
8.8 Jul 16

Sandbox escape in PipeWire's PulseAudio compatibility layer lets a low-privileged process inside a confined environment

CVE-2026-5260 HIGH
8.2 May 26

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SLES15-SP5-CHOST-BYOS-SAP-CCloud Affected
SLES15-SP6-CHOST-BYOS Affected
SLES15-SP6-CHOST-BYOS-Aliyun Affected
SLES15-SP6-CHOST-BYOS-Azure Affected
SLES15-SP6-CHOST-BYOS-EC2 Affected

Share

EUVD-2026-36110 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy