CVE-2026-30874

OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6, a vulnerability in the hotplug_call function allows an attacker to bypass environment variable filtering and inject an arbitrary PATH variable, potentially leading to privilege escalation. The function is intended to filter out sensitive environment variables like PATH when executing hotplug scripts in /etc/hotplug.d, but a bug using strcmp instead of strncmp causes the filter to compare the full environment string (e.g., PATH=/some/value) against the literal "PATH", so the match always fails. As a result, the PATH variable is never excluded, enabling an attacker to control which binaries are executed by procd-invoked scripts running with elevated privileges. This issue has been fixed in version 24.10.6.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/openwrt/openwrt/security/advisories/GHSA-jw28-hxcm-j934	Patch Vendor Advisory
https://github.com/openwrt/procd/commit/e08cdc8562f55b9ac228a21f3f7605a18c522b81	Patch

Configurations

Configuration 1 (hide)

cpe:2.3:o:openwrt:openwrt:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-19 23:16

Updated : 2026-03-23 19:26

NVD link : CVE-2026-30874

Mitre link : CVE-2026-30874

CVE.ORG link : CVE-2026-30874

JSON object : View

Products Affected

openwrt

openwrt

CWE

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-187

Partial String Comparison

CWE-269

Improper Privilege Management

{"id": "CVE-2026-30874", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 1.8, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-19T23:16:43.847", "references": [{"url": "https://github.com/openwrt/openwrt/security/advisories/GHSA-jw28-hxcm-j934", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/openwrt/procd/commit/e08cdc8562f55b9ac228a21f3f7605a18c522b81", "tags": ["Patch"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-187"}, {"lang": "en", "value": "CWE-269"}]}], "descriptions": [{"lang": "en", "value": "OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6, a vulnerability in the hotplug_call function allows an attacker to bypass environment variable filtering and inject an arbitrary PATH variable, potentially leading to privilege escalation. The function is intended to filter out sensitive environment variables like PATH when executing hotplug scripts in /etc/hotplug.d, but a bug using strcmp instead of strncmp causes the filter to compare the full environment string (e.g., PATH=/some/value) against the literal \"PATH\", so the match always fails. As a result, the PATH variable is never excluded, enabling an attacker to control which binaries are executed by procd-invoked scripts running with elevated privileges. This issue has been fixed in version 24.10.6."}, {"lang": "es", "value": "El Proyecto OpenWrt es un sistema operativo Linux dirigido a dispositivos embebidos. En versiones anteriores a la 24.10.6, una vulnerabilidad en la funci\u00f3n hotplug_call permite a un atacante eludir el filtrado de variables de entorno e inyectar una variable PATH arbitraria, lo que podr\u00eda conducir a una escalada de privilegios. La funci\u00f3n est\u00e1 dise\u00f1ada para filtrar variables de entorno sensibles como PATH al ejecutar scripts hotplug en /etc/hotplug.d, pero un error al usar strcmp en lugar de strncmp hace que el filtro compare la cadena de entorno completa (p. ej., PATH= /some /value) contra el literal 'PATH', por lo que la coincidencia siempre falla. Como resultado, la variable PATH nunca es excluida, lo que permite a un atacante controlar qu\u00e9 binarios son ejecutados por scripts invocados por procd que se ejecutan con privilegios elevados. Este problema ha sido solucionado en la versi\u00f3n 24.10.6."}], "lastModified": "2026-03-23T19:26:05.670", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:openwrt:openwrt:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "12B5818C-BB4D-4486-9C53-7FCA8EF2EDA8", "versionEndExcluding": "24.10.6"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}