Search
On this page ▾
CVE-2014-7169 — GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability

CVE-2014-7169

GNU Bash — Shellshock Incomplete Fix: Trailing String Execution Still Possible After CVE-2014-6271 Patch 25; Requires Patch 26+
🔥 CVSS 3.1  9.8 / 10 — CRITICAL 🔴 CISA Known Exploited Vulnerability

What Is GNU Bash?

GNU Bash is the default command shell on virtually every Linux distribution, macOS (through Catalina), and countless embedded Unix systems. CVE-2014-7169 is a direct follow-on to CVE-2014-6271 (Shellshock) — it describes the remaining exploitability of Bash after the first Shellshock patch (Bash 4.3 patch 25) was applied. See the CVE-2014-6271 page for full background on the Shellshock vulnerability class.

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on January 28, 2022. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2014-7169 describes the incomplete fix for the original Shellshock vulnerability (CVE-2014-6271). The first Bash patch (patch 25, released September 24, 2014) attempted to block malicious function definitions in environment variables by rejecting variables containing the () { pattern. Security researcher Tavis Ormandy of Google Project Zero demonstrated on the same day that this check could be bypassed — a different pattern still allowed trailing commands to execute during Bash startup. The bypass was reported within hours of the first patch, and the corrected fix was released as Bash patch 26 the following day (September 25, 2014). Any system updated to patch 25 but not patch 26 remained exploitable via CVE-2014-7169.

Affected Versions

Bash Version CVE-2014-6271 CVE-2014-7169
≤ 4.3 patch 24 Vulnerable Vulnerable
4.3 patch 25 Fixed Still vulnerable (incomplete)
4.3 patch 26 Fixed Fixed
4.3 patch 27+ Fixed Fixed (additional hardening)

Distribution-provided packages (RHEL, Ubuntu, Debian, etc.) were updated to incorporate patches 26 and 27 in rapid succession.

Technical Details

Root Cause: Bypass of the Patch 25 Function-Detection Check

The Bash 4.3 patch 25 attempted to fix CVE-2014-6271 by adding a check: if an environment variable's value begins with () {, Bash would import it as a function definition but would not execute any trailing code. The bypass discovered by Tavis Ormandy exploited a different parsing path:

By using a shell variable that creates a malformed function definition using a different construct (e.g., with a redirected temporary file and specific whitespace patterns), an attacker could still trigger code execution during Bash initialization even after patch 25 was applied. The exact bypass involved $'...' quoting or alternative environment variable formats that the patch 25 check did not cover.

Patch 25 bypass proof-of-concept:

env X='() { (a)=>\' bash -c "echo date"; cat /tmp/echo

This command, submitted to Tavis Ormandy's test environment, demonstrated that trailing commands could still execute via a different code path not blocked by patch 25.

Relationship to CVE-2014-6271

CVE-2014-7169 is not a separate vulnerability class from CVE-2014-6271 — it is the same root cause (trailing command execution in Bash environment variable parsing) exploitable via a different pattern after an incomplete patch. The same attack vectors apply: CGI web servers, DHCP clients, SSH ForceCommand, and any service that invokes Bash with user-controlled environment variables.

Attack Characteristics

Attribute Detail
Attack Vector Same as CVE-2014-6271 (CGI, DHCP, SSH, etc.)
Affected Systems Systems patched to Bash patch 25 but not patch 26
Exploitation Same class of attack as original Shellshock
CVSS 9.8 CRITICAL

Discovery

Tavis Ormandy (Google Project Zero) discovered and disclosed the bypass on the same day as the original CVE-2014-6271 disclosure (September 24, 2014). This rapid discovery highlighted the complexity of correctly fixing environment variable parsing in Bash.

Exploitation Context

  • Same campaign scope as Shellshock: The same worms, botnets, and mass exploitation tools that targeted CVE-2014-6271 also targeted CVE-2014-7169, particularly against systems that applied only the initial (incomplete) patch
  • Attack timing: Because CVE-2014-7169 was disclosed the day after the first patch, many organizations that rushed to patch CVE-2014-6271 with patch 25 found themselves still vulnerable via CVE-2014-7169 — a particularly frustrating situation
  • Embedded devices: Routers, NAS, and IoT devices that applied patch 25 but never received a follow-up firmware update remained vulnerable indefinitely
  • CISA KEV: Added January 2022 alongside CVE-2014-6271, confirming continued exploitation of both variants

Remediation

CISA BOD 22-01 Deadline: July 28, 2022. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

  1. Update Bash to patch 26 or later (or the distribution-packaged equivalent that incorporates both patches). Patch 25 alone is not sufficient. Verify: bash --version should show patch 26+ or the distribution's security patched version.

  2. Distribution packages: Most Linux distributions (RHEL, CentOS, Debian, Ubuntu, SUSE) released updated packages that included patches 26 and 27 within 24 hours of the bypass. Run yum update bash or apt-get update && apt-get upgrade bash and verify the installed version.

  3. Embedded and IoT devices: Devices that received a firmware update for patch 25 but not patch 26 remain vulnerable. Apply the latest available firmware; if no update is available, consider network isolation or replacement.

  4. Audit for exploitation: Same detection approach as CVE-2014-6271 — review CGI access logs for environment variable injection patterns, check for unauthorized cron jobs or backdoors, review authorized_keys files.

Key Details

PropertyValue
CVE ID CVE-2014-7169
Vendor / Product GNU — Bourne-Again Shell (Bash)
NVD Published2014-09-25
NVD Last Modified2025-10-22
CVSS 3.1 Score9.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SeverityCRITICAL
CWE CWE-78 — Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') find similar ↗
CISA KEV Added2022-01-28
CISA KEV Deadline2022-07-28
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2022-07-28. Apply updates per vendor instructions.

Timeline

DateEvent
2014-09-24CVE-2014-6271 (Shellshock) disclosed; Bash patch 25 released as fix
2014-09-24Tavis Ormandy (Google Project Zero) demonstrates patch 25 is incomplete; CVE-2014-7169 identified
2014-09-25CVE-2014-7169 published; Bash patch 26 released with corrected fix
2014-09-29Bash patch 27 released with additional hardening
2022-01-28Added to CISA Known Exploited Vulnerabilities catalog
2022-07-28CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2014-7169 Vulnerability Database
CISA KEV Catalog Entry US Government
Bash 4.3 Patch 26 — Corrects incomplete fix for CVE-2014-6271 Vendor Advisory
Red Hat: Bash vulnerability — Shellshock CVE-2014-6271 and CVE-2014-7169 Security Research

Last updated: 2026-05-24

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML