CVE-2026-30874

OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6, a vulnerability in the hotplug_call function allows an attacker to bypass environment variable filtering and inject an arbitrary PATH variable, potentially leading to privilege escalation. The function is intended to filter out sensitive environment variables like PATH when executing hotplug scripts in /etc/hotplug.d, but a bug using strcmp instead of strncmp causes the filter to compare the full environment string (e.g., PATH=/some/value) against the literal "PATH", so the match always fails. As a result, the PATH variable is never excluded, enabling an attacker to control which binaries are executed by procd-invoked scripts running with elevated privileges. This issue has been fixed in version 24.10.6.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/openwrt/openwrt/security/advisories/GHSA-jw28-hxcm-j934	Patch Vendor Advisory
https://github.com/openwrt/procd/commit/e08cdc8562f55b9ac228a21f3f7605a18c522b81	Patch

Configurations

Configuration 1 (hide)

cpe:2.3:o:openwrt:openwrt:*:*:*:*:*:*:*:*

History

23 Mar 2026, 19:26

Type	Values Removed	Values Added
References	~~() https://github.com/openwrt/openwrt/security/advisories/GHSA-jw28-hxcm-j934 -~~	() https://github.com/openwrt/openwrt/security/advisories/GHSA-jw28-hxcm-j934 - Patch, Vendor Advisory
References	~~() https://github.com/openwrt/procd/commit/e08cdc8562f55b9ac228a21f3f7605a18c522b81 -~~	() https://github.com/openwrt/procd/commit/e08cdc8562f55b9ac228a21f3f7605a18c522b81 - Patch
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.8
CPE		cpe:2.3:o:openwrt:openwrt::::::::
Summary		(es) El Proyecto OpenWrt es un sistema operativo Linux dirigido a dispositivos embebidos. En versiones anteriores a la 24.10.6, una vulnerabilidad en la función hotplug_call permite a un atacante eludir el filtrado de variables de entorno e inyectar una variable PATH arbitraria, lo que podría conducir a una escalada de privilegios. La función está diseñada para filtrar variables de entorno sensibles como PATH al ejecutar scripts hotplug en /etc/hotplug.d, pero un error al usar strcmp en lugar de strncmp hace que el filtro compare la cadena de entorno completa (p. ej., PATH= /some /value) contra el literal 'PATH', por lo que la coincidencia siempre falla. Como resultado, la variable PATH nunca es excluida, lo que permite a un atacante controlar qué binarios son ejecutados por scripts invocados por procd que se ejecutan con privilegios elevados. Este problema ha sido solucionado en la versión 24.10.6.
First Time		Openwrt Openwrt openwrt

19 Mar 2026, 23:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-19 23:16

Updated : 2026-03-23 19:26

NVD link : CVE-2026-30874

Mitre link : CVE-2026-30874

CVE.ORG link : CVE-2026-30874

JSON object : View

Products Affected

openwrt

openwrt

CWE

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-187

Partial String Comparison

CWE-269

Improper Privilege Management

7.8 /10