CVE-2026-41489— Pi-hole: Local privilege escalation via config-controlled path in root-executed service hooks

Pi-hole: Local privilege escalation via config-controlled path in root-executed service hooks

Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. From 6.0 to before Core 6.4.2 and FTL 6.6.1, two shell scripts executed as root by systemd (pihole-FTL-prestart.sh and pihole-FTL-poststop.sh) read the files.pid path from this config without validation and use it in privileged file operations (install and rm -f). By writing an arbitrary path into files.pid, an attacker with pihole privilege can cause root to delete and then recreate any file on the system outside the ProtectSystem=full-restricted directories, gaining write access to it. On a default Pi-hole installation this yields local privilege escalation to root via SSH authorized keys manipulation. If /root/.ssh/authorized_keys does not exist (default on fresh installs), only ExecStartPre is required. If the file exists, ExecStopPost deletes it first, and the same restart triggers both hooks in sequence. This vulnerability is fixed in Core 6.4.2 and FTL 6.6.1.

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

关键资源的不正确权限授予

Pi-hole 安全漏洞

Pi-hole是Pi-hole公司的一款网络级广告拦截应用程序。 Pi-hole 6.0版本至6.4.2之前版本和FTL 6.6.1之前版本存在安全漏洞，该漏洞源于shell脚本从配置中读取files.pid路径未经验证，可能导致具有pihole权限的攻击者删除并重新创建系统文件，进而通过SSH授权密钥操作实现本地权限提升。

N/A

N/A