CVE-2026-30874 in OpenWRT
Summary
by MITRE • 03/20/2026
OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6, a vulnerability in the hotplug_call function allows an attacker to bypass environment variable filtering and inject an arbitrary PATH variable, potentially leading to privilege escalation. The function is intended to filter out sensitive environment variables like PATH when executing hotplug scripts in /etc/hotplug.d, but a bug using strcmp instead of strncmp causes the filter to compare the full environment string (e.g., PATH=/some/value) against the literal "PATH", so the match always fails. As a result, the PATH variable is never excluded, enabling an attacker to control which binaries are executed by procd-invoked scripts running with elevated privileges. This issue has been fixed in version 24.10.6.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/25/2026
The vulnerability identified as CVE-2026-30874 affects the OpenWrt Project, a widely used Linux distribution designed for embedded devices such as routers and network appliances. This security flaw exists in versions prior to 24.10.6 and specifically targets the hotplug_call function within the system's hotplug subsystem. The hotplug subsystem is responsible for managing device events and executing corresponding scripts located in the /etc/hotplug.d directory when hardware changes occur in the system. The function serves as a security mechanism to filter environment variables before executing these hotplug scripts, ensuring that sensitive variables like PATH are not passed to potentially untrusted code.
The technical implementation flaw stems from a critical coding error where the strcmp function is used instead of strncmp for string comparison operations. This seemingly minor mistake has severe consequences for the security of the system. When the hotplug_call function attempts to filter environment variables, it compares the complete environment string such as "PATH=/some/value" against the literal string "PATH". Since strcmp performs a full string comparison rather than a prefix comparison, the match will always fail because the full string including the equals sign and value portion will never exactly match the simple "PATH" string. This fundamental error in string handling means that the intended security filter becomes completely ineffective, allowing the PATH variable to pass through unchanged to the executed scripts.
The operational impact of this vulnerability is particularly severe because the affected system components run with elevated privileges. Hotplug scripts are invoked by procd, which operates with root privileges, making this a critical privilege escalation vector. An attacker who can influence the environment variables passed to these scripts can manipulate the PATH variable to point to malicious binaries, effectively gaining control over the execution environment of privileged processes. This allows attackers to execute arbitrary code with root privileges, potentially compromising the entire device and enabling further attacks within the network. The vulnerability is especially dangerous in network equipment where devices may be exposed to untrusted networks or where physical access is possible.
Security mitigations for this vulnerability involve upgrading to OpenWrt version 24.10.6 or later, which contains the necessary fix for the string comparison issue. The fix requires changing the strcmp function call to strncmp to properly implement prefix matching against environment variable names. Additionally, system administrators should implement network segmentation and access controls to limit exposure of vulnerable devices, while monitoring for suspicious network activity that might indicate exploitation attempts. This vulnerability aligns with CWE-20: Improper Input Validation and follows ATT&CK technique T1068: Exploitation for Privilege Escalation, demonstrating how improper string handling can lead to critical security consequences in embedded systems environments. The issue represents a classic example of how seemingly minor coding errors in security-critical functions can result in severe privilege escalation vulnerabilities that compromise entire network infrastructures.