CVE-2026-62948 in OpenWrtinfo

Summary

by MITRE • 07/15/2026

OpenWrt is a Linux operating system targeting embedded devices. Prior to 25.12.5, odhcpd writes a DHCPv6 client FQDN option 39 hostname into /tmp/odhcpd.leases through src/statefiles.c statefiles_write_state6() and statefiles_write_state4() without escaping, allowing newline injection of forged lease lines that LuCI rpcd-mod-luci getDHCPLeases displays through htdocs/luci-static/resources/view/status/include/40_dhcp.js and htdocs/luci-static/resources/luci.js dom.append as live HTML in the Active DHCPv6 Leases admin page. This vulnerability is fixed in 25.12.5.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/15/2026

The vulnerability exists within OpenWrt's odhcpd service which handles DHCPv6 operations on embedded devices. This issue stems from improper input validation and sanitization when processing DHCPv6 client FQDN option 39 hostnames. The flaw occurs in the statefiles_write_state6() and statefiles_write_state4() functions located in src/statefiles.c, where hostname data is written directly to /tmp/odhcpd.leases without proper escaping or sanitization measures. When malicious actors craft DHCPv6 client FQDN values containing newline characters, they can inject additional lease entries that appear legitimate to the system's parsing mechanisms.

The operational impact of this vulnerability extends beyond simple data corruption, as it enables arbitrary code execution through HTML injection attacks. The system's web interface, specifically LuCI's rpcd-mod-luci component, retrieves these lease entries and displays them through htdocs/luci-static/resources/view/status/include/40_dhcp.js and htdocs/luci-static/resources/luci.js files. When dom.append processes these maliciously crafted entries, they are rendered as live HTML within the Active DHCPv6 Leases admin page, creating a cross-site scripting scenario that can be exploited by attackers to execute malicious scripts in the context of authenticated users.

This vulnerability aligns with CWE-116 which addresses improper encoding or escaping of output, and maps to ATT&CK technique T1059.007 for script injection. The flaw represents a classic case of insecure data handling where user-controllable input flows directly into system state files without proper validation. The attack vector leverages the trust relationship between the DHCP server and web interface, where legitimate administrative functions become attack surfaces when input sanitization is inadequate. The vulnerability affects all OpenWrt versions prior to 25.12.5, making it particularly concerning for widespread embedded device deployments.

Mitigation strategies should focus on implementing proper input validation and output escaping mechanisms throughout the data flow path. System administrators must upgrade to version 25.12.5 or later where the vulnerability has been patched. Additional defensive measures include implementing strict hostname validation rules that reject newline characters and other potentially dangerous sequences, deploying web application firewalls to filter malicious content, and monitoring DHCP lease files for anomalous entries. Network segmentation and least privilege principles should also be applied to limit the potential impact of successful exploitation attempts, while regular security audits of embedded device configurations can help identify similar vulnerabilities in other components of the system architecture.

Responsible

GitHub M

Reservation

07/15/2026

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!