OpenWrt, Privilege Escalation via Environment Variable Filtering Bypass, CVE-2026-30874 (High)

Listen to this Post

The vulnerability exists in OpenWrt’s hotplug_call function, which is part of the procd process manager. The function is responsible for executing scripts located in /etc/hotplug.d when hardware events occur. It is designed to sanitize the environment before invoking these scripts, specifically by filtering out dangerous variables such as PATH, LD_PRELOAD, and others to prevent privilege escalation. The filtering logic iterates over the environment array and uses a conditional to check if a variable name matches “PATH”. However, a critical bug occurs: the code uses strcmp() instead of strncmp() to compare the full environment string (e.g., “PATH=/usr/bin”) against the literal “PATH”. Since the two strings are never equal, the comparison always fails. As a result, the variable is never excluded from the environment passed to the hotplug scripts. An attacker who can trigger a hotplug event (e.g., by inserting a USB device) and control the environment—perhaps through a previously compromised low-privilege context or by leveraging other injection vectors—can set an arbitrary PATH variable. When the hotplug script runs with elevated privileges (typically root), the attacker’s PATH causes the script to execute a malicious binary instead of the intended system utility. This leads to arbitrary code execution with root privileges, effectively a privilege escalation from an unprivileged user to root. The issue affects all OpenWrt versions prior to 24.10.6. The fix replaces the flawed strcmp() with strncmp() to correctly match the variable name irrespective of its value, ensuring that PATH is properly filtered out.
Platform: OpenWrt
Version: prior 24.10.6
Vulnerability : Env filter bypass
Severity: High
date: March 19 2026

Prediction: March 23 2026

What Undercode Say:

Analytics

Simulate the vulnerable condition by triggering hotplug with controlled PATH
This demonstrates how the filter fails to remove PATH
echo "PATH=/tmp/malicious:$PATH" > /tmp/env_test
The hotplug_call function uses strcmp instead of strncmp
To verify, you can inspect the procd source (service/hotplug.c)
In versions < 24.10.6, the loop contains:
if (strcmp(env[bash], "PATH") == 0) continue; // Bug: full string compared
After fix:
if (strncmp(env[bash], "PATH=", 5) == 0) continue;

How Exploit:

  1. Prepare a malicious binary, e.g., /tmp/malicious/sh that executes a reverse shell.
  2. Create a hotplug event, e.g., by inserting a USB device or triggering a known hotplug action.
  3. Before the event, set the environment variable PATH=/tmp/malicious (or prepend it).
  4. The hotplug script invoked by procd will use the attacker-controlled PATH to locate binaries, executing the malicious one instead of the legitimate utility, gaining root privileges.

Protection from this CVE

  • Upgrade to OpenWrt version 24.10.6 or later.
  • If upgrading is not possible, apply the patch that replaces strcmp with strncmp in the hotplug_call function and rebuild.
  • Restrict physical access to devices to prevent hotplug event triggers by unauthorized users.
  • Use eBPF or seccomp to limit which binaries can be executed by hotplug scripts.

Impact

  • Privilege escalation from an unprivileged user to root.
  • Full compromise of the embedded device.
  • Ability to persist malicious software, intercept network traffic, or use the device as a pivot in larger attacks.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top