Search
On this page ▾
CVE-2014-6278 — GNU Bash OS Command Injection Vulnerability

CVE-2014-6278

GNU Bash — Shellshock Variant: Additional Environment Variable Injection Code Path Still Exploitable After Patches 25–26
⚠️ CVSS 3.1  8.8 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What Is GNU Bash?

GNU Bash is the default shell on virtually all Linux distributions, macOS (through Catalina), and many embedded Unix systems. CVE-2014-6278 is part of the Shellshock family of vulnerabilities — a series of related Bash parsing flaws discovered in rapid succession in September 2014 following the initial Shellshock disclosure (CVE-2014-6271). See the CVE-2014-6271 page for full background on the Shellshock vulnerability class and attack vectors.

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on October 2, 2025. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2014-6278 is a Shellshock variant in GNU Bash that describes an additional code injection path — separate from both CVE-2014-6271 and CVE-2014-7169 — that allows remote code execution through crafted environment variables. Discovered during the intensive security research that followed the original Shellshock disclosure, CVE-2014-6278 was identified by security researchers including Michal Zalewski (lcamtuf) and represents a deeper parsing flaw in how Bash initializes function definitions from the environment. The fix was included in Bash 4.3 patch 27. CISA added this to the KEV catalog in October 2025, confirming that Shellshock-family vulnerabilities on unpatched embedded and legacy systems continue to be actively exploited over a decade after disclosure.

Affected Versions

Bash CVE-2014-6278 Status
≤ 4.3 patch 26 Vulnerable Systems with patch 26 but not patch 27
4.3 patch 27+ Fixed Full fix for CVE-2014-6278
Distribution packages post-September 2014 Fixed Distros issued updated packages incorporating all patches

Technical Details

Root Cause: Additional Bash Environment Parsing Code Path

While CVE-2014-6271 involved trailing commands after function definitions in () { ... } syntax, and CVE-2014-7169 described a bypass of the patch 25 fix, CVE-2014-6278 identifies a further code path in Bash's environment initialization that can be triggered using different environment variable content patterns.

The vulnerability stems from Bash's complex parsing of environment variables during shell startup. When Bash initializes, it scans all environment variables for ones that look like function definitions and imports them. CVE-2014-6278 involves a parsing edge case — possibly related to how Bash handles certain quoting, whitespace, or escape sequences in environment variables — that allows code injection via a different syntactic form that escaped the earlier patches.

The practical impact is the same as CVE-2014-6271: an attacker who can control an environment variable passed to a Bash subprocess (via CGI, DHCP, SSH ForceCommand, etc.) can execute arbitrary commands during Bash initialization.

Attack Vectors

The same attack vectors as CVE-2014-6271 apply:

  • CGI scripts: HTTP headers passed as environment variables to CGI-invoked Bash
  • DHCP client: Option fields from rogue DHCP servers passed to Bash hooks
  • SSH ForceCommand: Environment variable injection via SSH connections
  • Other services: Any service that invokes Bash with user-controlled environment variables

Attack Characteristics

Attribute Detail
Attack Vector Network — via any service invoking Bash with user env vars
Authentication None required (for CGI/DHCP vectors)
Bash Patches Fixed in patch 27 (patches 25 and 26 insufficient)
Discovery Michal Zalewski (lcamtuf) and other researchers, Sep 2014

Discovery

Identified by Michal Zalewski (lcamtuf, Google Project Zero) and other researchers during intensive analysis of Bash's parsing code following the CVE-2014-6271 disclosure. The rapid discovery of multiple independent Shellshock variants reflected the complexity of Bash's environment variable handling and the concentrated security research attention it received in September 2014.

Exploitation Context

  • Shellshock exploitation wave: All Shellshock variants were exploited in the same mass scanning campaigns in September 2014; botnets and worms targeted CGI endpoints with variants of the Shellshock payload
  • Embedded systems long tail: Routers, NAS devices, IP cameras, and industrial systems running Bash without patch 27 remain vulnerable; many will never receive updates
  • CISA KEV (2025): Added October 2025 — eleven years after disclosure — reflecting confirmed exploitation against legacy and embedded systems that remain unpatched
  • No CVE without a patch: Unlike CVE-2014-6271 (widely patched), this variant may have been missed in some patch tracking, leaving systems that believe they are patched still vulnerable

Remediation

CISA BOD 22-01 Deadline: October 23, 2025. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

  1. Update Bash to patch 27 or later (or the distribution-packaged equivalent that incorporates all Shellshock patches). Patch 25 or 26 alone is not sufficient for this CVE. Verify: bash --version.

  2. Confirm distribution package version: Major Linux distributions (RHEL, CentOS, Debian, Ubuntu, SUSE) all released packages incorporating patches through 27 in October 2014. Run yum update bash or apt-get upgrade bash and verify.

  3. Embedded and IoT devices: Apply latest firmware incorporating all Shellshock patches. Devices receiving only an initial patch (for CVE-2014-6271 only) may not include the fix for CVE-2014-6278.

  4. Disable CGI scripts using Bash if not required. Use non-Bash interpreters (Python, Perl, PHP) for CGI scripts that receive user-controlled HTTP headers.

  5. Network isolation: Restrict access to services that invoke Bash with external data (CGI web servers, DHCP clients on untrusted networks) to trusted networks only.

Key Details

PropertyValue
CVE ID CVE-2014-6278
Vendor / Product GNU — GNU Bash
NVD Published2014-09-30
NVD Last Modified2025-10-22
CVSS 3.1 Score8.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SeverityHIGH
CWE CWE-78 — Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') find similar ↗
CISA KEV Added2025-10-02
CISA KEV Deadline2025-10-23
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2025-10-23. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Timeline

DateEvent
2014-09-24Original Shellshock (CVE-2014-6271) disclosed; Bash patch 25 released
2014-09-25CVE-2014-7169 disclosed (bypass of patch 25); Bash patch 26 released
2014-09-27CVE-2014-6278 and additional Shellshock variants identified by Michal Zalewski (lcamtuf) and others
2014-09-29Bash patch 27 released, addressing CVE-2014-6278 and related variants
2014-09-30CVE-2014-6278 published by NVD
2025-10-02Added to CISA Known Exploited Vulnerabilities catalog
2025-10-23CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2014-6278 Vulnerability Database
CISA KEV Catalog Entry US Government
Bash 4.3 Patch 27 — Additional Shellshock fix addressing CVE-2014-6278 Vendor Advisory
Cisco Security Advisory — Bash Remote Code Execution (Shellshock) Vendor Advisory

Last updated: 2026-05-24

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML