Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-1905

NIXPKGS-2026-1905
published 14 hours ago
Dracut: dracut: root code execution via dhcp options command injection
Permalink CVE-2026-6893
8.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Adjacent (A)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Adjacent (A)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 14 hours ago by @LeSuisse Activity log
  • Created suggestion 20 hours ago
  • @LeSuisse accepted 14 hours ago
  • @LeSuisse published on GitHub 14 hours ago
Dracut: dracut: root code execution via dhcp options command injection

A flaw was found in dracut. A remote attacker on the adjacent network can exploit this vulnerability by providing specially crafted DHCP (Dynamic Host Configuration Protocol) options, such as a malicious hostname, to a system using dracut's legacy DHCP path. These options are improperly handled and written into temporary shell scripts without proper escaping, leading to command injection. This allows the attacker to achieve root code execution within the initramfs, potentially compromising the system's boot and network behavior.

References

Affected products

rhcos
dracut

Matching in nixpkgs

pkgs.dracut

Event driven initramfs infrastructure

  • nixos-unstable 059
    • nixpkgs-unstable 059
    • nixos-unstable-small 111
  • nixos-26.05 059
    • nixos-26.05-small 059
    • nixpkgs-26.05-darwin 059 
Needs further analysis.