HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-6893Published Modified CNA redhat

CVE-2026-6893: Dracut: dracut: root code execution via dhcp options command injection

A flaw was found in dracut. A remote attacker on the adjacent network can exploit this vulnerability by providing specially crafted DHCP (Dynamic Host Configuration Protocol) options, such as a malicious hostname, to a system using dracut's legacy DHCP path. These options are improperly handled and written into temporary shell scripts without proper escaping, leading to command injection. This allows the attacker to achieve root code execution within the initramfs, potentially compromising the system's boot and network behavior.

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
Affected Products
7

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a command injection vulnerability in dracut, the initramfs-building tool used across Red Hat Enterprise Linux and related platforms. An attacker on the same network segment can send specially crafted DHCP options (such as a malicious hostname) to a booting system; because dracut's legacy DHCP path writes those options directly into temporary shell scripts without escaping them, the attacker gains root code execution inside the initramfs. Successful exploitation gives the attacker full control over the system's boot sequence and network configuration. No upstream fix has been published; HarborGuard is tracking this advisory for patch availability.

HarborGuard Coverage

Detection

Detection of CVE-2026-6893 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images derived from RHEL base layers. Any image carrying an affected version of dracut is flagged immediately.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 7.5 HIGH and weighting it against each environment's compliance policy to determine urgency. Triage results are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

Because no fix version has been published, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available the moment Red Hat ships an upstream fix. For customers who opt into auto-remediation, that rebuild will trigger a regression run and an automated PR against affected workloads as soon as a fix version is confirmed.

Pending upstream

Exploit Conditions

  • Network reachabilityDetail

    The attacker must be present on the same adjacent network, LAN, or VPN segment as the target system; remote over-the-internet exploitation is not possible.

  • AuthenticationNot required

    No credentials or account are needed; the attack is delivered through unauthenticated DHCP responses on the local network.

  • Victim interactionNot required

    No user action is required; the vulnerable code path is triggered automatically when the target system processes DHCP options during boot.

  • Attack complexityDetail

    Exploitation involves high attack complexity, meaning the attacker may need to meet specific timing or environmental conditions, such as racing the DHCP exchange during the initramfs boot phase.

Blast Radius

  • The attacker executes arbitrary commands as root inside the initramfs, with full control over the early boot environment.
  • Boot-time network configuration can be modified, redirecting the system to attacker-controlled resources or disabling network security controls before the main OS loads.
  • Persistent compromise of the boot sequence is achievable, allowing the attacker to tamper with the root filesystem or inject malicious components before integrity checks run.
  • All three impact dimensions are high: the attacker reads, modifies, and can destroy data or crash the system entirely from the initramfs stage.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published for CVE-2026-6893, HarborGuard continuously re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available the moment Red Hat publishes a corrected dracut package. In the interim, compensating controls are worth considering: network policy isolation that prevents untrusted hosts from responding to DHCP on segments where vulnerable systems boot, egress filtering to limit what an initramfs environment can reach, and where possible disabling dracut's legacy DHCP path in favor of a safer network configuration method. For customers who opt into auto-remediation, the patched rebuild will automatically trigger a regression run and a PR opened against affected workloads within the typical median window for high-severity issues once a fix version is available.

See how HarborGuard automates this
Affected packages
  • Red Hat / Red Hat Enterprise Linux 10
  • Red Hat / Red Hat Enterprise Linux 6
  • Red Hat / Red Hat Enterprise Linux 7
  • Red Hat / Red Hat Enterprise Linux 8
  • Red Hat / Red Hat Enterprise Linux 9
  • Red Hat / Red Hat Hardened Images
  • Red Hat / Red Hat OpenShift Container Platform 4
CVSS Vector
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
References