Cyber Resilience

CVE-2026-30874

LowLPE

Published: 19 March 2026

Published
19 March 2026
Modified
23 March 2026
KEV Added
Patch
CVSS Score v4 1.8 CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0001 2.0th percentile
Risk Priority 4 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-30874 is a low-severity Injection (CWE-74) vulnerability in Openwrt Openwrt. Its CVSS base score is 1.8 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-30874 is a vulnerability in the OpenWrt Project, a Linux operating system targeting embedded devices, affecting versions prior to 24.10.6. The issue lies in the hotplug_call function, which is designed to filter out sensitive environment variables like PATH when executing hotplug scripts in /etc/hotplug.d. Due to a bug using strcmp instead of strncmp, the filter compares the full environment string (e.g., PATH=/some/value) against the literal "PATH", causing the match to always fail. As a result, the PATH variable is not excluded, allowing injection of an arbitrary PATH that influences binary execution by procd-invoked scripts running with elevated privileges. The vulnerability is rated 7.8 on the CVSS 3.1 scale (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWEs 74, 187, and 269.

A local attacker with low privileges can exploit this vulnerability by crafting a malicious PATH environment variable. When procd invokes hotplug scripts under elevated privileges, the injected PATH determines which binaries are executed, enabling arbitrary code execution and potential privilege escalation.

The vulnerability has been fixed in OpenWrt version 24.10.6. Mitigation involves upgrading to this version or later. Details are provided in the OpenWrt GitHub security advisory at https://github.com/openwrt/openwrt/security/advisories/GHSA-jw28-hxcm-j934 and the patching commit in procd at https://github.com/openwrt/procd/commit/e08cdc8562f55b9ac228a21f3f7605a18c522b81.

EU & UK References

Vulnerability details

OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6, a vulnerability in the hotplug_call function allows an attacker to bypass environment variable filtering and inject an arbitrary PATH variable, potentially leading to privilege escalation.…

more

The function is intended to filter out sensitive environment variables like PATH when executing hotplug scripts in /etc/hotplug.d, but a bug using strcmp instead of strncmp causes the filter to compare the full environment string (e.g., PATH=/some/value) against the literal "PATH", so the match always fails. As a result, the PATH variable is never excluded, enabling an attacker to control which binaries are executed by procd-invoked scripts running with elevated privileges. This issue has been fixed in version 24.10.6.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1574.007 Path Interception by PATH Environment Variable Stealth
Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries.
Why these techniques?

Vulnerability allows local PATH environment variable injection into privileged hotplug scripts (due to failed strcmp filter), directly enabling execution hijack of attacker-controlled binaries for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-30871Same product: Openwrt Openwrt
CVE-2026-30872Same product: Openwrt Openwrt
CVE-2026-32721Same product: Openwrt Openwrt
CVE-2026-20408Same product: Openwrt Openwrt
CVE-2026-20430Same product: Openwrt Openwrt
CVE-2026-29124Shared CWE-269
CVE-2026-0912Shared CWE-269
CVE-2025-48645Shared CWE-269
CVE-2026-45716Shared CWE-269
CVE-2026-7994Shared CWE-269

Affected Assets

openwrt
openwrt
≤ 24.10.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation directly addresses the specific bug in hotplug_call by applying the patch that fixes the strcmp/strncmp issue and properly filters PATH environment variables.

prevent

Information input validation at the hotplug_call function would enforce proper filtering and sanitization of sensitive environment variables like PATH to prevent injection.

prevent

Least privilege enforcement on procd-invoked hotplug scripts limits the scope of privilege escalation even if PATH hijacking occurs.

References