GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.
CVE-2014-6271
Score elevated to 9.8 because this CVE is listed on the CISA Known Exploited Vulnerabilities catalog (added 2022-01-28), indicating real-world exploitation has been confirmed by US federal agencies. NVD baseline CVSS 9.8 retained for reference. Confidence: HIGH.
- Actively exploited in the wild (CISA-KEV)
A fix is available — apply it.
- CVSS v3
- 9.8
- EG Score
- 9.8(medium)
- EPSS
- 100.0%
- KEV
- ⚠ Exploited
Published
September 24, 2014
Last Modified
April 22, 2026
Advisory Details (6)
Auto-updated May 12, 2026lcamtuf's old blog: Quick notes about the bash bug, its impact, and the fixes so far
http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.htmlJVN#55667175: QNAP QTS vulnerable to OS command injection
http://jvn.jp/en/jp/JVN55667175/index.htmlMageia Advisory: MGASA-2014-0388 - Updated bash packages fix CVE-2014-6271
http://advisories.mageia.org/MGASA-2014-0388.htmlVendor Advisories for CVE-2014-6271(1)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
Patch Availability(5)
| Vendor / Ecosystem | Fixed in / Patch | Released | Source |
|---|---|---|---|
| ubuntu | bash-static (4.3-7ubuntu1.1) @ trusty | 2026-07-12 | ubuntu |
| redhat | rhev-hypervisor6-0:6.5-20140930.1.el6ev | 2014-10-02 | redhat |
| redhat | bash-0:4.1.2-15.el6_5.1.sjis.1 | 2014-09-24 | redhat |
| redhat | bash-0:4.1.2-15.el6_4.1 | 2014-09-24 | redhat |
| redhat | bash-0:4.2.45-5.el7_0.2 | 2014-09-24 | redhat |
Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.
Weakness Classification(1)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Additional Vendor Advisories
(4)
Vendors that published advisories for this CVE beyond the curated set above. Broader coverage but minimal per-row detail — click through for the original advisory.
Data Freshness Timeline
(refreshed 120× in last 7d / 522× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
Showing the most recent 100 of 772 total refreshes for this CVE.
- 2026-07-12 01:56 UTCEG score recompute
- 2026-07-12 01:56 UTCVendor advisory
- 2026-07-12 01:56 UTCGHSA enrichment
- 2026-07-11 21:44 UTCEG score recompute
- 2026-07-11 21:44 UTCVendor advisory
- 2026-07-11 21:44 UTCGHSA enrichment
- 2026-07-11 17:32 UTCEG score recompute
- 2026-07-11 17:32 UTCVendor advisory
- 2026-07-11 17:32 UTCGHSA enrichment
- 2026-07-11 13:20 UTCEG score recompute
- 2026-07-11 13:20 UTCVendor advisory
- 2026-07-11 13:20 UTCGHSA enrichment
- 2026-07-11 09:08 UTCEG score recompute
- 2026-07-11 09:08 UTCVendor advisory
- 2026-07-11 09:08 UTCGHSA enrichment
- 2026-07-11 04:56 UTCEG score recompute
- 2026-07-11 04:56 UTCVendor advisory
- 2026-07-11 04:56 UTCGHSA enrichment
- 2026-07-11 00:43 UTCEG score recompute
- 2026-07-11 00:43 UTCVendor advisory
- 2026-07-11 00:43 UTCGHSA enrichment
- 2026-07-10 20:31 UTCEG score recompute
- 2026-07-10 20:31 UTCVendor advisory
- 2026-07-10 20:31 UTCGHSA enrichment
- 2026-07-10 17:52 UTCCISA KEV update
Show 75 moreShow fewer
- 2026-07-10 16:19 UTCEG score recompute
- 2026-07-10 16:19 UTCVendor advisory
- 2026-07-10 16:18 UTCGHSA enrichment
- 2026-07-10 12:05 UTCEG score recompute
- 2026-07-10 12:05 UTCVendor advisory
- 2026-07-10 12:04 UTCGHSA enrichment
- 2026-07-10 07:51 UTCEG score recompute
- 2026-07-10 07:51 UTCVendor advisory
- 2026-07-10 07:51 UTCGHSA enrichment
- 2026-07-10 03:33 UTCEG score recompute
- 2026-07-10 03:33 UTCVendor advisory
- 2026-07-10 03:33 UTCGHSA enrichment
- 2026-07-09 23:21 UTCEG score recompute
- 2026-07-09 23:21 UTCVendor advisory
- 2026-07-09 23:21 UTCGHSA enrichment
- 2026-07-09 19:09 UTCEG score recompute
- 2026-07-09 19:09 UTCVendor advisory
- 2026-07-09 19:09 UTCGHSA enrichment
- 2026-07-09 14:56 UTCEG score recompute
- 2026-07-09 14:56 UTCVendor advisory
- 2026-07-09 14:56 UTCGHSA enrichment
- 2026-07-09 10:44 UTCEG score recompute
- 2026-07-09 10:44 UTCVendor advisory
- 2026-07-09 10:44 UTCGHSA enrichment
- 2026-07-09 06:31 UTCEG score recompute
- 2026-07-09 06:31 UTCVendor advisory
- 2026-07-09 06:31 UTCGHSA enrichment
- 2026-07-09 02:19 UTCEG score recompute
- 2026-07-09 02:19 UTCVendor advisory
- 2026-07-09 02:19 UTCGHSA enrichment
- 2026-07-08 22:07 UTCEG score recompute
- 2026-07-08 22:07 UTCVendor advisory
- 2026-07-08 22:06 UTCGHSA enrichment
- 2026-07-08 17:53 UTCEG score recompute
- 2026-07-08 17:53 UTCVendor advisory
- 2026-07-08 17:53 UTCGHSA enrichment
- 2026-07-08 13:40 UTCEG score recompute
- 2026-07-08 13:40 UTCVendor advisory
- 2026-07-08 13:40 UTCGHSA enrichment
- 2026-07-08 09:24 UTCEG score recompute
- 2026-07-08 09:24 UTCVendor advisory
- 2026-07-08 09:24 UTCGHSA enrichment
- 2026-07-08 05:12 UTCEG score recompute
- 2026-07-08 05:12 UTCVendor advisory
- 2026-07-08 05:12 UTCGHSA enrichment
- 2026-07-08 00:59 UTCEG score recompute
- 2026-07-08 00:59 UTCVendor advisory
- 2026-07-08 00:58 UTCGHSA enrichment
- 2026-07-07 20:47 UTCEG score recompute
- 2026-07-07 20:47 UTCVendor advisory
- 2026-07-07 20:47 UTCGHSA enrichment
- 2026-07-07 19:01 UTCCISA KEV update
- 2026-07-07 17:16 UTCCISA KEV update
- 2026-07-07 16:34 UTCEG score recompute
- 2026-07-07 16:34 UTCVendor advisory
- 2026-07-07 16:34 UTCGHSA enrichment
- 2026-07-07 12:20 UTCEG score recompute
- 2026-07-07 12:20 UTCVendor advisory
- 2026-07-07 12:20 UTCGHSA enrichment
- 2026-07-07 08:06 UTCEG score recompute
- 2026-07-07 08:06 UTCVendor advisory
- 2026-07-07 08:06 UTCGHSA enrichment
- 2026-07-07 03:52 UTCEG score recompute
- 2026-07-07 03:52 UTCVendor advisory
- 2026-07-07 03:51 UTCGHSA enrichment
- 2026-07-06 23:37 UTCEG score recompute
- 2026-07-06 23:37 UTCVendor advisory
- 2026-07-06 23:37 UTCGHSA enrichment
- 2026-07-06 19:23 UTCEG score recompute
- 2026-07-06 19:23 UTCVendor advisory
- 2026-07-06 19:23 UTCGHSA enrichment
- 2026-07-06 15:09 UTCEG score recompute
- 2026-07-06 15:09 UTCVendor advisory
- 2026-07-06 15:09 UTCGHSA enrichment
- 2026-07-06 10:56 UTCEG score recompute
Publicly available exploits
(10 references)Working exploit code is in the public domain (1 Metasploit module) (3 GitHub PoCs) (6 Exploit-DB entries). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.
- GitHub PoCJ0hnTh3Kn1ght/CVE-2014-6271First seen Jul 1, 2023
Exploitation of "Shellshock" Vulnerability. Remote code execution in Apache with mod_cgi
Open source ↗ - GitHub PoCb4keSn4ke/CVE-2014-6271First seen Jul 29, 2021
Shellshock exploit aka CVE-2014-6271
Open source ↗ - Exploit-DBEDB-42938✓ verifiedFirst seen Oct 2, 2017
Qmail SMTP - Bash Environment Variable Injection (Metasploit)
Open source ↗ - Exploit-DBEDB-40938✓ verifiedFirst seen Dec 18, 2016
RedStar 3.0 Server - 'Shellshock' 'BEAM' / 'RSSMON' Command Injection
Open source ↗ - GitHub PoCopsxcq/exploit-CVE-2014-6271First seen Dec 7, 2016
Shellshock exploit + vulnerable environment
Open source ↗ - Exploit-DBEDB-40619First seen Oct 21, 2016
TrendMicro InterScan Web Security Virtual Appliance - 'Shellshock' Remote Command Injection
Open source ↗ - Exploit-DBEDB-39918✓ verifiedFirst seen Jun 10, 2016
IPFire - 'Shellshock' Bash Environment Variable Command Injection (Metasploit)
Open source ↗ - Exploit-DBEDB-38849✓ verifiedFirst seen Dec 2, 2015
Advantech Switch - 'Shellshock' Bash Environment Variable Command Injection (Metasploit)
Open source ↗ - Metasploitexploit/linux/http/advantech_switch_bash_env_exec✓ verifiedFirst seen Dec 1, 2015
Advantech Switch Bash Environment Variable Code Injection (Shellshock)
Open source ↗ - Exploit-DBEDB-37816First seen Aug 18, 2015
Cisco Unified Communications Manager - Multiple Vulnerabilities
Open source ↗
Past incidents using this CVE
(1)This CVE was central to one or more publicly-documented breaches. Each card links to authoritative reporting at the time of the incident.
- Shellshock (bash)Sep 2014
GNU bash environment-variable parsing flaw allowed remote command execution via CGI scripts, SSH, DHCP and Git. Affected millions of Unix systems.
Source: The Register
Frequently asked(6)
What is CVE-2014-6271?
When was CVE-2014-6271 disclosed?
Is CVE-2014-6271 actively exploited?
What is the CVSS score of CVE-2014-6271?
Which products are affected by CVE-2014-6271?
How do I remediate CVE-2014-6271?
Dependency Blast Radius
Explore the affected products and dependency analysis for CVE-2014-6271
Is Your Infrastructure Affected by CVE-2014-6271?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.