CVE-2026-30874
Published: 19 March 2026
Summary
CVE-2026-30874 is a high-severity Injection (CWE-74) vulnerability in Openwrt Openwrt. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation directly addresses the specific bug in hotplug_call by applying the patch that fixes the strcmp/strncmp issue and properly filters PATH environment variables.
Information input validation at the hotplug_call function would enforce proper filtering and sanitization of sensitive environment variables like PATH to prevent injection.
Least privilege enforcement on procd-invoked hotplug scripts limits the scope of privilege escalation even if PATH hijacking occurs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability allows local PATH environment variable injection into privileged hotplug scripts (due to failed strcmp filter), directly enabling execution hijack of attacker-controlled binaries for privilege escalation.
NVD Description
OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6, a vulnerability in the hotplug_call function allows an attacker to bypass environment variable filtering and inject an arbitrary PATH variable, potentially leading to privilege escalation.…
more
The function is intended to filter out sensitive environment variables like PATH when executing hotplug scripts in /etc/hotplug.d, but a bug using strcmp instead of strncmp causes the filter to compare the full environment string (e.g., PATH=/some/value) against the literal "PATH", so the match always fails. As a result, the PATH variable is never excluded, enabling an attacker to control which binaries are executed by procd-invoked scripts running with elevated privileges. This issue has been fixed in version 24.10.6.
Deeper analysisAI
CVE-2026-30874 is a vulnerability in the OpenWrt Project, a Linux operating system targeting embedded devices, affecting versions prior to 24.10.6. The issue lies in the hotplug_call function, which is designed to filter out sensitive environment variables like PATH when executing hotplug scripts in /etc/hotplug.d. Due to a bug using strcmp instead of strncmp, the filter compares the full environment string (e.g., PATH=/some/value) against the literal "PATH", causing the match to always fail. As a result, the PATH variable is not excluded, allowing injection of an arbitrary PATH that influences binary execution by procd-invoked scripts running with elevated privileges. The vulnerability is rated 7.8 on the CVSS 3.1 scale (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWEs 74, 187, and 269.
A local attacker with low privileges can exploit this vulnerability by crafting a malicious PATH environment variable. When procd invokes hotplug scripts under elevated privileges, the injected PATH determines which binaries are executed, enabling arbitrary code execution and potential privilege escalation.
The vulnerability has been fixed in OpenWrt version 24.10.6. Mitigation involves upgrading to this version or later. Details are provided in the OpenWrt GitHub security advisory at https://github.com/openwrt/openwrt/security/advisories/GHSA-jw28-hxcm-j934 and the patching commit in procd at https://github.com/openwrt/procd/commit/e08cdc8562f55b9ac228a21f3f7605a18c522b81.
Details
- CWE(s)