⚠ Actively exploited
Added to CISA KEV on 2025-10-02. Federal agencies required to patch by 2025-10-23. Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. .

CVE-2014-6278

CWE-78OS Command InjectionCWE-119Buffer Overflow18 documents12 sources
Severity
8.8HIGH
EPSS
90.1%
top 0.41%
CISA KEV
KEV
Added 2025-10-02
Due 2025-10-23
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
GNU Bash
Timeline
PublishedSep 30
KEV addedOct 2
KEV dueOct 23
CISA Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. N

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

Debianbash< 4.3-9.2+3
Ubuntubash< 4.3-7ubuntu1.5
NVDgnu/bash25 versions+24

Patches

Patch: lcamtuf.blogspot.comPatch: lcamtuf.blogspot.com

🔴Vulnerability Details

5
GHSA
GHSA-6493-28fj-f93w: GNU Bash through 42022-05-13
OSV
bash vulnerabilities2014-10-09
OSV
CVE-2014-6278: GNU Bash through 42014-09-30
CVEList
CVE-2014-6278: GNU Bash through 42014-09-30
VulnCheck
GNU Bash OS Command Injection Vulnerability2014

💥Exploits & PoCs

6
Exploit-DB
Sun Secure Global Desktop and Oracle Global Desktop 4.61.915 - Command Injection (Shellshock)2016-06-06
Exploit-DB
Cisco UCS Manager 2.1(1b) - Remote Command Injection (Shellshock)2016-03-16
Exploit-DB
CUPS Filter - Bash Environment Variable Code Injection (Metasploit)2014-10-29
Exploit-DB
Apache mod_cgi - 'Shellshock' Remote Command Injection2014-10-06
Exploit-DB
GNU bash 4.3.11 - Environment Variable dhclient2014-10-02

📋Vendor Advisories

5
CISA
GNU Bash OS Command Injection Vulnerability2025-10-02
Ubuntu
Bash vulnerabilities2014-10-09
Red Hat
bash: incorrect parsing of function definitions with nested command substitutions2014-09-29
Cisco
GNU Bash Environment Variable Command Injection Vulnerability2014-09-26
Debian
CVE-2014-6278: bash - GNU Bash through 4.3 bash43-026 does not properly parse function definitions in ...2014

💬Community

1
Bugzilla
CVE-2014-6278 bash: incorrect parsing of function definitions with nested command substitutions2014-09-29