{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30874", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-06T00:04:56.699Z", "datePublished": "2026-03-19T22:36:04.507Z", "dateUpdated": "2026-03-20T18:09:36.205Z"}, "containers": {"cna": {"title": "OpenWrt procd PATH Environment Variable Filter Bypass via Incorrect String Comparison Leads to Privilege Escalation", "problemTypes": [{"descriptions": [{"cweId": "CWE-187", "lang": "en", "description": "CWE-187: Partial String Comparison", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-74", "lang": "en", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-269", "lang": "en", "description": "CWE-269: Improper Privilege Management", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 1.8, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/openwrt/openwrt/security/advisories/GHSA-jw28-hxcm-j934", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openwrt/openwrt/security/advisories/GHSA-jw28-hxcm-j934"}, {"name": "https://github.com/openwrt/procd/commit/e08cdc8562f55b9ac228a21f3f7605a18c522b81", "tags": ["x_refsource_MISC"], "url": "https://github.com/openwrt/procd/commit/e08cdc8562f55b9ac228a21f3f7605a18c522b81"}], "affected": [{"vendor": "openwrt", "product": "openwrt", "versions": [{"version": "< 24.10.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T22:36:04.507Z"}, "descriptions": [{"lang": "en", "value": "OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6, a vulnerability in the hotplug_call function allows an attacker to bypass environment variable filtering and inject an arbitrary PATH variable, potentially leading to privilege escalation. The function is intended to filter out sensitive environment variables like PATH when executing hotplug scripts in /etc/hotplug.d, but a bug using strcmp instead of strncmp causes the filter to compare the full environment string (e.g., PATH=/some/value) against the literal \"PATH\", so the match always fails. As a result, the PATH variable is never excluded, enabling an attacker to control which binaries are executed by procd-invoked scripts running with elevated privileges. This issue has been fixed in version 24.10.6."}], "source": {"advisory": "GHSA-jw28-hxcm-j934", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T17:13:02.973267Z", "id": "CVE-2026-30874", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T18:09:36.205Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30874", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T17:13:02.973267Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T17:13:08.007Z"}}], "cna": {"title": "OpenWrt procd PATH Environment Variable Filter Bypass via Incorrect String Comparison Leads to Privilege Escalation", "source": {"advisory": "GHSA-jw28-hxcm-j934", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 1.8, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "openwrt", "product": "openwrt", "versions": [{"status": "affected", "version": "< 24.10.6"}]}], "references": [{"url": "https://github.com/openwrt/openwrt/security/advisories/GHSA-jw28-hxcm-j934", "name": "https://github.com/openwrt/openwrt/security/advisories/GHSA-jw28-hxcm-j934", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/openwrt/procd/commit/e08cdc8562f55b9ac228a21f3f7605a18c522b81", "name": "https://github.com/openwrt/procd/commit/e08cdc8562f55b9ac228a21f3f7605a18c522b81", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6, a vulnerability in the hotplug_call function allows an attacker to bypass environment variable filtering and inject an arbitrary PATH variable, potentially leading to privilege escalation. The function is intended to filter out sensitive environment variables like PATH when executing hotplug scripts in /etc/hotplug.d, but a bug using strcmp instead of strncmp causes the filter to compare the full environment string (e.g., PATH=/some/value) against the literal \"PATH\", so the match always fails. As a result, the PATH variable is never excluded, enabling an attacker to control which binaries are executed by procd-invoked scripts running with elevated privileges. This issue has been fixed in version 24.10.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-187", "description": "CWE-187: Partial String Comparison"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269: Improper Privilege Management"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T22:36:04.507Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30874", "state": "PUBLISHED", "dateUpdated": "2026-03-20T18:09:36.205Z", "dateReserved": "2026-03-06T00:04:56.699Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-19T22:36:04.507Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6, a vulnerability in the hotplug_call function allows an attacker to bypass environment variable filtering and inject an arbitrary PATH variable, potentially leading to privilege escalation. The function is intended to filter out sensitive environment variables like PATH when executing hotplug scripts in /etc/hotplug.d, but a bug using strcmp instead of strncmp causes the filter to compare the full environment string (e.g., PATH=/some/value) against the literal \"PATH\", so the match always fails. As a result, the PATH variable is never excluded, enabling an attacker to control which binaries are executed by procd-invoked scripts running with elevated privileges. This issue has been fixed in version 24.10.6."}], "id": "CVE-2026-30874", "lastModified": "2026-03-20T13:37:50.737", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 1.8, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-19T23:16:43.847", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/openwrt/openwrt/security/advisories/GHSA-jw28-hxcm-j934"}, {"source": "security-advisories@github.com", "url": "https://github.com/openwrt/procd/commit/e08cdc8562f55b9ac228a21f3f7605a18c522b81"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-187"}, {"lang": "en", "value": "CWE-269"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "OpenWrt: procd: OpenWrt procd: Privilege escalation via PATH environment variable injection", "id": "2449311", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449311"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.2", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-1025", "details": ["A flaw was found in the `procd` component of OpenWrt. A highly privileged local attacker can bypass environment variable filtering in the `hotplug_call` function by injecting an arbitrary `PATH` variable. This vulnerability, caused by an incorrect string comparison, allows the attacker to control which binaries are executed by `procd`-invoked scripts running with elevated privileges, potentially leading to privilege escalation."], "name": "CVE-2026-30874", "public_date": "2026-03-19T22:36:04Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-30874\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-30874\nhttps://github.com/openwrt/openwrt/security/advisories/GHSA-jw28-hxcm-j934\nhttps://github.com/openwrt/procd/commit/e08cdc8562f55b9ac228a21f3f7605a18c522b81"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,24.10.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "openwrt", "source": "cna", "vendor": "openwrt"}, "product": "openwrt", "vendor": "openwrt"}], "analysis": {"en": {"generated_at": "2026-03-20T02:51:07.626156+00:00", "value": {"mitigation_remediation": ["Upgrade the device to OpenWrt 24.10.6 or later to apply the hotplug_call fix", "Verify that the installed procd binary matches the patched version by checking its release information", "Restrict write permissions on /etc/hotplug.d to trusted users and audit existing scripts for malicious content", "If hotplug functionality is unnecessary, disable it to eliminate the exploitation surface", "Apply general hardening: limit local shell access, monitor for unauthorized script changes, and enforce least\u2011privilege principles"], "summary": {"action": "Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "Affected product: OpenWrt (openwrt:openwrt). All releases older than 24.10.6 are vulnerable. The issue was fixed in OpenWrt 24.10.6. Devices running that version or newer are not impacted.", "description_and_impact": "The vulnerability resides in OpenWrt\u2019s procd procd_call function, which is intended to filter sensitive environment variables such as PATH from hotplug scripts in /etc/hotplug.d. Key detail from the description: the function uses strcmp instead of strncmp to compare the entire environment string (e.g., \"PATH=/some/value\") against the literal \"PATH\", causing the check to always fail. As a result, the PATH variable is never excluded. An attacker who can inject a hotplug script can therefore set an arbitrary PATH, causing procd-invoked scripts that run with elevated privileges to execute binaries chosen by the attacker. The flaw maps to several weaknesses, including improper enforcement of security policy (CWE\u20111025), partial hash collision (CWE\u2011187), improper privilege management (CWE\u2011269), and path traversal (CWE\u201174).", "risk_and_exploitability": "Based on the description, it is inferred that the attack vector is local, requiring the attacker to trigger a hotplug event or place a malicious script in /etc/hotplug.d, which implies local access or influence over the device\u2019s device management subsystem. The CVSS score of 1.8 indicates low overall severity, and no EPSS score is available. The vulnerability is not included in CISA\u2019s KEV catalog, further suggesting limited exploitation. The potential impact is privilege escalation; once the procd process runs a script with a crafted PATH, it can execute any privileged binary the attacker selects. Given the low severity score and requirement for local interaction, the risk is considered modest unless an attacker has local foothold or can influence local scripts."}}}}, "created": "2026-03-20T08:54:42.657751+00:00", "updated": "2026-03-20T10:44:10.742051+00:00", "vendors": ["openwrt", "openwrt$PRODUCT$openwrt"]}