CVE-2019-18276

HIGH

GNU Bash <5.0.11 - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2019-18276. PoCs published by M-ensimag, SABI-Ensimag.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2019-18276, leveraging a local privilege escalation (LPE) vulnerability in Bash's 'enable' command. The exploit uses a shared library with a constructor to escalate privileges and read a restricted file.

Description

An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support "saved UID" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use "enable -f" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.

Exploits (2)

nomisec WORKING POC 3 stars

by M-ensimag · poc

https://github.com/M-ensimag/CVE-2019-18276

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2019-18276, leveraging a local privilege escalation (LPE) vulnerability in Bash's 'enable' command. The exploit uses a shared library with a constructor to escalate privileges and read a restricted file.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: GNU Bash (versions affected by CVE-2019-18276)

Auth required

Prerequisites: Local access to the target system · Bash with the vulnerability present · Ability to compile and load a shared library

MITRE ATT&CK

T1548.001 - Setuid and Setgid

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec WORKING POC

by SABI-Ensimag · poc

https://github.com/SABI-Ensimag/CVE-2019-18276

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2019-18276, a privilege escalation vulnerability in Bash 5.0. The exploit leverages a SUID binary to drop privileges and execute arbitrary code with elevated permissions.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Bash 5.0.3(1)

No auth needed

Prerequisites: Access to a system with a SUID binary linked to Bash 5.0

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (7)

Core 7

Core References

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E

Third Party Advisory vendor-advisory x_refsource_gentoo

https://security.gentoo.org/glsa/202105-34

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpuapr2022.html

Exploit, Third Party Advisory x_refsource_misc

https://www.youtube.com/watch?v=-wGtxJ8opa8

Patch, Third Party Advisory x_refsource_confirm

https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html

Third Party Advisory x_refsource_confirm

https://security.netapp.com/advisory/ntap-20200430-0003/

Scores

CVSS v3 7.8

EPSS 0.0261

EPSS Percentile 83.4%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-273

Status published

Products (6)

gnu/bash 5.0 beta1 (14 CPE variants)

gnu/bash < 5.0

netapp/hci_management_node

netapp/oncommand_unified_manager 9.5

netapp/solidfire

oracle/communications_cloud_native_core_policy 1.14.0

Published Nov 28, 2019

Tracked Since Feb 18, 2026