CVE-2026-41489

HIGH EPSS 3.1%

Published May 11, 20261mo ago · Modified Jun 17, 20261w ago

8.8 CVSS 3.1

High

Published May 11, 2026 1mo ago

Last Modified Jun 17, 2026 1w ago

Description

Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. From 6.0 to before Core 6.4.2 and FTL 6.6.1, two shell scripts executed as root by systemd (pihole-FTL-prestart.sh and pihole-FTL-poststop.sh) read the files.pid path from this config without validation and use it in privileged file operations (install and rm -f). By writing an arbitrary path into files.pid, an attacker with pihole privilege can cause root to delete and then recreate any file on the system outside the ProtectSystem=full-restricted directories, gaining write access to it. On a default Pi-hole installation this yields local privilege escalation to root via SSH authorized keys manipulation. If /root/.ssh/authorized_keys does not exist (default on fresh installs), only ExecStartPre is required. If the file exists, ExecStopPost deletes it first, and the same restart triggers both hooks in sequence. This vulnerability is fixed in Core 6.4.2 and FTL 6.6.1.

CVSS Details

Base Score

8.8

Exploitability

2.0

Impact

6.0

Vector string

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector Local

Attack Complexity Low

Privileges Required Low

User Interaction None

Scope Changed

Confidentiality High

Integrity High

Availability High

Threat Intelligence

EPSS Exploit Probability

3.1% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 3

CWE-15

CWE-269 Improper Privilege Management Authorization

CWE-732

References 1

github.com https://github.com/pi-hole/pi-hole/security/advisories/GHSA-6w8x-p785-6pm4

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.