#1139725 dracut: CVE-2026-6893: Root code execution via DHCP options command injection

Package:
src:dracut
Source:
src:dracut
Submitter:
Salvatore Bonaccorso
Date:
2026-06-12 04:03:02 UTC
Severity:
normal
Tags:
#1139725#5
Date:
2026-06-12 04:01:23 UTC
From:
To:
Hi,

The following vulnerability was published for dracut.

CVE-2026-6893[0]:
| A flaw was found in dracut. A remote attacker on the adjacent
| network can exploit this vulnerability by providing specially
| crafted DHCP (Dynamic Host Configuration Protocol) options, such as
| a malicious hostname, to a system using dracut's legacy DHCP path.
| These options are improperly handled and written into temporary
| shell scripts without proper escaping, leading to command injection.
| This allows the attacker to achieve root code execution within the
| initramfs, potentially compromising the system's boot and network
| behavior.

Only main reference is the bugzilla entry from Red Hat[1] but there is
a draft merge request upsream now at time of writing[2].

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-6893
https://www.cve.org/CVERecord?id=CVE-2026-6893
[1] https://bugzilla.redhat.com/show_bug.cgi?id=2459963
[2] https://github.com/dracut-ng/dracut/pull/2469

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore