GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271.
CVE-2014-7169
Score elevated to 9.8 because this CVE is listed on the CISA Known Exploited Vulnerabilities catalog (added 2022-01-28), indicating real-world exploitation has been confirmed by US federal agencies. NVD baseline CVSS 9.8 retained for reference. Confidence: HIGH.
- Actively exploited in the wild (CISA-KEV)
A fix is available — apply it.
- CVSS v3
- 9.8
- EG Score
- 9.8(medium)
- EPSS
- 100.0%
- KEV
- ⚠ Exploited
Published
September 25, 2014
Last Modified
April 22, 2026
Advisory Details (7)
Auto-updated May 12, 2026lcamtuf's old blog: Quick notes about the bash bug, its impact, and the fixes so far
http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.htmlJVN#55667175: QNAP QTS vulnerable to OS command injection
http://jvn.jp/en/jp/JVN55667175/index.htmlMageia Advisory: MGASA-2014-0393 - Updated bash packages fix CVE-2014-7169
http://advisories.mageia.org/MGASA-2014-0393.htmlVendor Advisories for CVE-2014-7169(1)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
Patch Availability(7)
| Vendor / Ecosystem | Fixed in / Patch | Released | Source |
|---|---|---|---|
| ubuntu | bash-static (4.3-7ubuntu1.3) @ trusty | 2026-07-11 | ubuntu |
| ubuntu | bash-static (4.3-7ubuntu1.2) @ trusty | 2026-07-11 | ubuntu |
| redhat | bash-0:3.2-32.el5_9.3.sjis.1 | 2014-11-17 | redhat |
| redhat | rhev-hypervisor6-0:6.5-20140930.1.el6ev | 2014-10-02 | redhat |
| redhat | bash-0:4.2.45-5.el7_0.4 | 2014-09-26 | redhat |
| redhat | bash-0:4.1.2-15.el6_4.2 | 2014-09-26 | redhat |
| redhat | bash-0:4.1.2-15.el6_5.1.sjis.2 | 2014-09-26 | redhat |
Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.
Weakness Classification(1)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Additional Vendor Advisories
(6)
Vendors that published advisories for this CVE beyond the curated set above. Broader coverage but minimal per-row detail — click through for the original advisory.
- Red HatRHSA-2014:1306IMPORTANT2014-09-24
RHSA-2014:1306 — Important
- Red HatRHSA-2014:1311IMPORTANT2014-09-24
RHSA-2014:1311 — Important
- Red HatRHSA-2014:1312IMPORTANT2014-09-24
RHSA-2014:1312 — Important
- Red HatRHSA-2014:1865IMPORTANT2014-09-24
RHSA-2014:1865 — Important
- UbuntuUSN-2363-1HIGH
Bash vulnerability
- UbuntuUSN-2363-2HIGH
Bash vulnerability
Data Freshness Timeline
(refreshed 123× in last 7d / 521× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
Showing the most recent 100 of 784 total refreshes for this CVE.
- 2026-07-12 04:12 UTCEG score recompute
- 2026-07-12 04:12 UTCVendor advisory
- 2026-07-12 04:11 UTCGHSA enrichment
- 2026-07-11 23:54 UTCEG score recompute
- 2026-07-11 23:54 UTCVendor advisory
- 2026-07-11 23:54 UTCGHSA enrichment
- 2026-07-11 19:40 UTCEG score recompute
- 2026-07-11 19:40 UTCVendor advisory
- 2026-07-11 19:40 UTCGHSA enrichment
- 2026-07-11 15:26 UTCEG score recompute
- 2026-07-11 15:26 UTCVendor advisory
- 2026-07-11 15:26 UTCGHSA enrichment
- 2026-07-11 11:12 UTCEG score recompute
- 2026-07-11 11:12 UTCVendor advisory
- 2026-07-11 11:12 UTCGHSA enrichment
- 2026-07-11 06:58 UTCEG score recompute
- 2026-07-11 06:58 UTCVendor advisory
- 2026-07-11 06:58 UTCGHSA enrichment
- 2026-07-11 02:44 UTCEG score recompute
- 2026-07-11 02:44 UTCVendor advisory
- 2026-07-11 02:44 UTCGHSA enrichment
- 2026-07-10 22:30 UTCEG score recompute
- 2026-07-10 22:30 UTCVendor advisory
- 2026-07-10 22:30 UTCGHSA enrichment
- 2026-07-10 18:16 UTCEG score recompute
Show 75 moreShow fewer
- 2026-07-10 18:16 UTCVendor advisory
- 2026-07-10 18:16 UTCGHSA enrichment
- 2026-07-10 17:52 UTCCISA KEV update
- 2026-07-10 14:01 UTCEG score recompute
- 2026-07-10 14:01 UTCVendor advisory
- 2026-07-10 14:00 UTCGHSA enrichment
- 2026-07-10 09:46 UTCEG score recompute
- 2026-07-10 09:46 UTCVendor advisory
- 2026-07-10 09:46 UTCGHSA enrichment
- 2026-07-10 05:31 UTCEG score recompute
- 2026-07-10 05:31 UTCVendor advisory
- 2026-07-10 05:31 UTCGHSA enrichment
- 2026-07-10 01:18 UTCEG score recompute
- 2026-07-10 01:18 UTCVendor advisory
- 2026-07-10 01:18 UTCGHSA enrichment
- 2026-07-09 21:04 UTCEG score recompute
- 2026-07-09 21:04 UTCVendor advisory
- 2026-07-09 21:04 UTCGHSA enrichment
- 2026-07-09 16:49 UTCEG score recompute
- 2026-07-09 16:49 UTCVendor advisory
- 2026-07-09 16:49 UTCGHSA enrichment
- 2026-07-09 12:36 UTCEG score recompute
- 2026-07-09 12:36 UTCVendor advisory
- 2026-07-09 12:36 UTCGHSA enrichment
- 2026-07-09 08:20 UTCEG score recompute
- 2026-07-09 08:20 UTCVendor advisory
- 2026-07-09 08:20 UTCGHSA enrichment
- 2026-07-09 04:07 UTCEG score recompute
- 2026-07-09 04:07 UTCVendor advisory
- 2026-07-09 04:07 UTCGHSA enrichment
- 2026-07-08 23:53 UTCEG score recompute
- 2026-07-08 23:53 UTCVendor advisory
- 2026-07-08 23:52 UTCGHSA enrichment
- 2026-07-08 19:38 UTCEG score recompute
- 2026-07-08 19:38 UTCVendor advisory
- 2026-07-08 19:38 UTCGHSA enrichment
- 2026-07-08 15:23 UTCEG score recompute
- 2026-07-08 15:23 UTCVendor advisory
- 2026-07-08 15:23 UTCGHSA enrichment
- 2026-07-08 11:07 UTCEG score recompute
- 2026-07-08 11:07 UTCVendor advisory
- 2026-07-08 11:07 UTCGHSA enrichment
- 2026-07-08 06:53 UTCEG score recompute
- 2026-07-08 06:53 UTCVendor advisory
- 2026-07-08 06:53 UTCGHSA enrichment
- 2026-07-08 02:39 UTCEG score recompute
- 2026-07-08 02:39 UTCVendor advisory
- 2026-07-08 02:39 UTCGHSA enrichment
- 2026-07-07 22:26 UTCEG score recompute
- 2026-07-07 22:26 UTCVendor advisory
- 2026-07-07 22:25 UTCGHSA enrichment
- 2026-07-07 19:01 UTCCISA KEV update
- 2026-07-07 18:12 UTCEG score recompute
- 2026-07-07 18:12 UTCVendor advisory
- 2026-07-07 18:11 UTCGHSA enrichment
- 2026-07-07 17:16 UTCCISA KEV update
- 2026-07-07 13:54 UTCEG score recompute
- 2026-07-07 13:54 UTCVendor advisory
- 2026-07-07 13:54 UTCGHSA enrichment
- 2026-07-07 09:40 UTCEG score recompute
- 2026-07-07 09:40 UTCVendor advisory
- 2026-07-07 09:40 UTCGHSA enrichment
- 2026-07-07 05:26 UTCEG score recompute
- 2026-07-07 05:26 UTCVendor advisory
- 2026-07-07 05:26 UTCGHSA enrichment
- 2026-07-07 01:11 UTCEG score recompute
- 2026-07-07 01:11 UTCVendor advisory
- 2026-07-07 01:11 UTCGHSA enrichment
- 2026-07-06 20:57 UTCEG score recompute
- 2026-07-06 20:57 UTCVendor advisory
- 2026-07-06 20:56 UTCGHSA enrichment
- 2026-07-06 16:41 UTCEG score recompute
- 2026-07-06 16:41 UTCVendor advisory
- 2026-07-06 16:41 UTCGHSA enrichment
- 2026-07-06 12:27 UTCEG score recompute
Publicly available exploits
(10 references)Working exploit code is in the public domain (1 GitHub PoC) (9 Exploit-DB entries). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.
- Exploit-DBEDB-36609First seen Apr 2, 2015
Kemp Load Master 7.1.16 - Multiple Vulnerabilities
Open source ↗ - Exploit-DBEDB-36503First seen Mar 26, 2015
QNAP - Admin Shell via Bash Environment Variable Code Injection (Metasploit)
Open source ↗ - Exploit-DBEDB-36504First seen Mar 26, 2015
QNAP - Web Server Remote Code Execution via Bash Environment Variable Code Injection (Metasploit)
Open source ↗ - Exploit-DBEDB-35146First seen Nov 3, 2014
PHP < 5.6.2 - 'Shellshock' Safe Mode / disable_functions Bypass / Command Injection
Open source ↗ - GitHub PoCchef-boneyard/bash-shellshockFirst seen Oct 31, 2014
DEPRECATED: Chef cookbook to audit & remediate "Shellshock" (BASH-CVE-2014-7169)
Open source ↗ - Exploit-DBEDB-35115✓ verifiedFirst seen Oct 29, 2014
CUPS Filter - Bash Environment Variable Code Injection (Metasploit)
Open source ↗ - Exploit-DBEDB-34895✓ verifiedFirst seen Oct 6, 2014
Bash CGI - 'Shellshock' Remote Command Injection (Metasploit)
Open source ↗ - Exploit-DBEDB-34896✓ verifiedFirst seen Oct 6, 2014
Postfix SMTP 4.2.x < 4.2.48 - 'Shellshock' Remote Command Injection
Open source ↗ - Exploit-DBEDB-34879First seen Oct 4, 2014
OpenVPN 2.2.29 - 'Shellshock' Remote Command Injection
Open source ↗ - Exploit-DBEDB-34860First seen Oct 2, 2014
GNU bash 4.3.11 - Environment Variable dhclient
Open source ↗
Past incidents using this CVE
(1)This CVE was central to one or more publicly-documented breaches. Each card links to authoritative reporting at the time of the incident.
- Shellshock (bash)Sep 2014
GNU bash environment-variable parsing flaw allowed remote command execution via CGI scripts, SSH, DHCP and Git. Affected millions of Unix systems.
Source: The Register
Related CVEs(same vendor + same CWE)
Same vendor
10 shownredhat
Same CWE
10 shownCWE-78
Frequently asked(6)
What is CVE-2014-7169?
When was CVE-2014-7169 disclosed?
Is CVE-2014-7169 actively exploited?
What is the CVSS score of CVE-2014-7169?
Which products are affected by CVE-2014-7169?
How do I remediate CVE-2014-7169?
Dependency Blast Radius
Explore the affected products and dependency analysis for CVE-2014-7169
Is Your Infrastructure Affected by CVE-2014-7169?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.