HIGH 7.5

CVE-2026-6893: Dracut DHCP Command Injection Vulnerability – Root Code Execution in Initramfs

A vulnerability in dracut, a critical tool used during Linux system boot, allows an attacker on the same local network to inject malicious commands during the DHCP configuration process. By crafting specially designed DHCP responses (for example, containing a hostile hostname), an attacker can execute arbitrary code with root privileges while the system is still booting. This happens because dracut fails to properly escape DHCP data before inserting it into temporary shell scripts used during initialization. The attack requires network proximity but no authentication, making it a practical threat in shared network environments such as offices, data centers, or cloud infrastructure.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-78
Affected products
0 configuration(s)
Published / Modified
2026-06-10 / 2026-07-15

NVD description (verbatim)

A flaw was found in dracut. A remote attacker on the adjacent network can exploit this vulnerability by providing specially crafted DHCP (Dynamic Host Configuration Protocol) options, such as a malicious hostname, to a system using dracut's legacy DHCP path. These options are improperly handled and written into temporary shell scripts without proper escaping, leading to command injection. This allows the attacker to achieve root code execution within the initramfs, potentially compromising the system's boot and network behavior.

13 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability resides in dracut's legacy DHCP client path, where Dynamic Host Configuration Protocol responses are processed during initramfs boot. Specifically, DHCP options—including hostname and other configuration parameters—are incorporated into temporary shell scripts without adequate input sanitization or escaping. This classic command injection flaw (CWE-78) permits an adjacent network attacker to embed shell metacharacters and commands within DHCP option payloads. When the initramfs executes these scripts, the injected commands run with root privileges in the boot environment, before the main operating system kernel fully initializes. The attack surface is particularly exposed during network boot scenarios or systems relying on DHCP for early-stage network configuration.

Business impact

Compromising a system's boot environment is particularly severe because it grants an attacker foundational control before the running OS can apply security policies or endpoint detection tools. An adversary exploiting this flaw can modify boot behavior, persist malware in the initramfs, intercept credentials during network boot, or disable security mechanisms during startup. In data center or cloud environments where systems are frequently reprovisioned or boot over the network, this vulnerability poses a risk to infrastructure integrity. Organizations relying on secure boot chains, network-based OS deployment, or systems running dracut in automated provisioning pipelines face elevated exposure. Recovery requires re-imaging or manual intervention, increasing operational disruption.

Affected systems

Any system using dracut—a widespread initramfs generation tool found on Red Hat, Fedora, CentOS, RHEL, and other Linux distributions—is potentially affected if it relies on the legacy DHCP client path during boot. Systems that boot via PXE, use network-based OS provisioning, or depend on DHCP for early network configuration face the greatest risk. Embedded systems, IoT devices, and hypervisor nodes that employ dracut are also vulnerable. Systems using modern networkd or other DHCP implementations as the primary method may have lower exposure, depending on their dracut configuration. The vendor product list should be verified against your specific distribution and dracut version.

Exploitability

Exploitation requires the attacker to be on the same local network segment (AV:A in CVSS terms), but no authentication or user interaction is needed. The attacker must be able to respond to DHCP requests, typically by running a rogue DHCP server or intercepting legitimate DHCP traffic. While this requires some network positioning, it is not difficult in environments with insufficient DHCP snooping, port security, or network segmentation. The CVSS score of 7.5 reflects high impact (confidentiality, integrity, and availability all compromised) balanced against the requirement for adjacent network access and potentially high complexity to set up the attack. The vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities catalog, but the straightforward nature of DHCP spoofing and command injection suggests that practical exploits could emerge quickly.

Remediation

Organizations should prioritize patching dracut to a version that properly escapes DHCP options before incorporating them into shell scripts. Until patches are deployed, network segmentation and DHCP snooping controls can reduce exposure by limiting rogue DHCP servers. Disabling the legacy DHCP path in favor of modern network configuration methods (if feasible for your environment) lowers attack surface. Systems that do not require DHCP-based network boot should ensure dracut is not installed or is configured to skip DHCP processing. Additionally, monitoring for unexpected DHCP option injection attempts and network boot anomalies can provide detection during the remediation window.

Patch guidance

Consult your Linux distribution's security advisory for dracut patches released after the vulnerability publication date (2026-06-10). Red Hat, Fedora, and other downstream projects typically issue fixes through their package management systems (yum, dnf, apt). Patches should address proper escaping or sanitization of DHCP options before they are written to temporary scripts. Test patches in a non-production environment first, particularly on systems that boot via PXE or rely on DHCP configuration, to ensure network boot functionality is preserved. Verify patch application by checking dracut version numbers against vendor advisories and confirming that DHCP option handling has been hardened.

Detection guidance

Monitor for malformed or unusually long DHCP option values during boot—especially hostnames and domain names containing shell metacharacters (backticks, dollar signs, semicolons, pipes). Network-based detection should flag DHCP responses originating from unauthorized servers on the segment. Host-based detection is challenging because the attack occurs in the initramfs before logging is fully available; however, examine system logs and boot logs for signs of unexpected command execution or network behavior changes following system boot. If secure boot is enabled, monitor for unsigned initramfs or unexpected modifications. Intrusion detection systems (IDS) can identify DHCP injection patterns if they inspect DHCP payloads. Endpoint detection and response (EDR) tools should alert on anomalous processes spawned during early boot phases.

Why prioritize this

This vulnerability merits immediate attention because it targets the boot process—the foundation of system trust—and requires only network proximity and no authentication. Root code execution in the initramfs is particularly dangerous because it occurs before the kernel and security tools fully activate. While exploitation complexity is moderate (requiring network positioning), the impact is severe and could affect large numbers of systems in networked environments. Organizations with significant Linux infrastructure, particularly those using network boot or dracut-based provisioning, should treat this as high priority for patching and mitigation.

Risk score, explained

The CVSS 7.5 HIGH severity score reflects the combination of high impact (all three CIA triad elements compromised—C:H, I:H, A:H) against moderate exploitability barriers. Adjacent network access (AV:A) and high attack complexity (AC:H) prevent a critical rating, but the consequence of root-level code execution during boot justifies the HIGH classification. For organizations where systems boot over untrusted networks or operate in shared network environments, the practical risk may warrant treating this as critical internally. The absence from CISA's KEV list does not diminish severity; it reflects current observed exploitation rather than technical severity.

Frequently asked questions

Can a system be compromised if DHCP is not used during boot?

If dracut is installed but the system does not rely on DHCP for network configuration during boot, the exposure is reduced but not eliminated if dracut processes DHCP data by default. Verify your dracut configuration and disable the legacy DHCP path if it is not needed for your use case.

How does this differ from typical remote code execution vulnerabilities?

This vulnerability is particularly severe because it executes during the initramfs boot phase, before the main operating system and its security controls fully load. An attacker gains root access at the lowest level, potentially bypassing authentication, endpoint detection, and other runtime protections. Recovery requires more than a simple process kill or restart—it often requires re-imaging.

What is the practical impact if only non-critical systems are vulnerable?

Even if 'non-critical' systems are compromised, an attacker can use them as a foothold to pivot to critical infrastructure, exfiltrate data, or stage further attacks. In networked environments, compromised systems can be weaponized to attack peers or trusted hosts on the same segment.

Are there workarounds if I cannot patch immediately?

Yes. Implement strong network segmentation and DHCP snooping to prevent rogue DHCP servers on your network segment. Disable or remove dracut if not required, and use modern network configuration tools instead of the legacy DHCP path where possible. Monitor for suspicious DHCP activity and boot anomalies as a temporary detection measure.

This analysis is provided for informational purposes and does not constitute professional security advice. Vulnerability severity and exploitability can vary based on specific system configurations, network architecture, and deployment context. Organizations should verify all technical details, patch availability, and compatibility against official vendor advisories and their own environment before taking action. No exploit code, proof-of-concept, or attack tooling is provided or implied. Always test patches in non-production environments first. SEC.co makes no warranty regarding the completeness or accuracy of this intelligence and recommends consulting with your security team and vendor documentation for definitive guidance. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).