Source: dracut Version: 111-2 Severity: important Tags: security upstream Forwarded: https://github.com/dracut-ng/dracut/pull/2469 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for dracut. CVE-2026-6893[0]: | A flaw was found in dracut. A remote attacker on the adjacent | network can exploit this vulnerability by providing specially | crafted DHCP (Dynamic Host Configuration Protocol) options, such as | a malicious hostname, to a system using dracut's legacy DHCP path. | These options are improperly handled and written into temporary | shell scripts without proper escaping, leading to command injection. | This allows the attacker to achieve root code execution within the | initramfs, potentially compromising the system's boot and network | behavior. Only main reference is the bugzilla entry from Red Hat[1] but there is a draft merge request upsream now at time of writing[2]. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-6893 https://www.cve.org/CVERecord?id=CVE-2026-6893 [1] https://bugzilla.redhat.com/show_bug.cgi?id=2459963 [2] https://github.com/dracut-ng/dracut/pull/2469 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
