{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/sh--2.2.4/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["sh (\u003c 2.2.4)"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","vulnerability","linux"],"_cs_type":"advisory","_cs_vendors":["sh"],"content_html":"\u003cp\u003eA high-severity vulnerability (CVE-2026-54552) has been identified in the \u003ccode\u003esh\u003c/code\u003e package, versioned prior to 2.2.4, impacting Linux/Unix-like operating systems. This flaw, dubbed an \u0026quot;incomplete privilege drop,\u0026quot; occurs when a process with elevated privileges executes \u003ccode\u003esh\u003c/code\u003e using the \u003ccode\u003e_uid\u003c/code\u003e option to launch a command as an unprivileged user. While the child \u003ccode\u003esh\u003c/code\u003e process correctly changes its User ID (UID) and primary Group ID (GID) to that of the specified unprivileged user, it critically fails to drop the supplementary groups inherited from its privileged parent process. This oversight allows the ostensibly unprivileged child process to retain access to resources and permissions associated with potentially privileged supplementary groups, such as \u003ccode\u003eroot\u003c/code\u003e, \u003ccode\u003edocker\u003c/code\u003e, \u003ccode\u003edisk\u003c/code\u003e, \u003ccode\u003eshadow\u003c/code\u003e, or \u003ccode\u003esudo\u003c/code\u003e. This bypasses intended security boundaries, enabling a local attacker to escalate privileges or access restricted files and functionalities, particularly if the \u003ccode\u003e_uid\u003c/code\u003e option was relied upon for privilege separation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Linux/Unix-like system with some level of user privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a privileged process (e.g., a system service, a script executed by root) that utilizes the \u003ccode\u003esh\u003c/code\u003e package and its \u003ccode\u003e_uid\u003c/code\u003e option to execute commands.\u003c/li\u003e\n\u003cli\u003eThe privileged parent process executes a command via \u003ccode\u003esh\u003c/code\u003e with \u003ccode\u003e_uid=\u0026lt;unprivileged user\u0026gt;\u003c/code\u003e, intending to restrict the command's execution context.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esh\u003c/code\u003e package initiates a child process, which correctly changes its User ID (UID) and primary Group ID (GID) to that of the specified unprivileged user.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, the child process does not fully reset its supplementary group list and inherits some or all of the privileged supplementary groups from the parent process.\u003c/li\u003e\n\u003cli\u003eThe attacker, operating within the context of this unprivileged child process, can now leverage the retained privileged supplementary groups to access files or resources that would normally be inaccessible to the unprivileged user.\u003c/li\u003e\n\u003cli\u003eThis allows the attacker to escalate privileges or perform actions beyond the intended scope of the unprivileged user, potentially leading to full system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability allows for local privilege escalation on Linux/Unix-like systems where the \u003ccode\u003esh\u003c/code\u003e package (versions prior to 2.2.4) is used in conjunction with the \u003ccode\u003e_uid\u003c/code\u003e option from a privileged parent process. Organizations that deploy applications or services relying on \u003ccode\u003e_uid\u003c/code\u003e for privilege separation are directly impacted. An attacker exploiting this flaw can gain unauthorized access to sensitive files, directories, or system functions by inheriting privileged supplementary groups such as \u003ccode\u003eroot\u003c/code\u003e, \u003ccode\u003edocker\u003c/code\u003e, \u003ccode\u003eshadow\u003c/code\u003e, or \u003ccode\u003esudo\u003c/code\u003e. This subversion of privilege boundaries can lead to data exfiltration, system compromise, or further lateral movement within the network. There is no specific number of victims or targeted sectors mentioned, but any environment utilizing the vulnerable \u003ccode\u003esh\u003c/code\u003e package in this manner is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003epip/sh\u003c/code\u003e package to version 2.2.4 or newer to patch CVE-2026-54552 immediately.\u003c/li\u003e\n\u003cli\u003eAs a workaround, avoid using the \u003ccode\u003e_uid\u003c/code\u003e option in the \u003ccode\u003esh\u003c/code\u003e package when the intended user is a less-privileged user and the parent process has elevated privileges, until the patch can be applied.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-17T18:44:10Z","date_published":"2026-07-17T18:44:10Z","id":"https://feed.craftedsignal.io/briefs/2026-07-sh-uid-incomplete-privilege-drop/","summary":"A vulnerability in the 'sh' package, affecting Linux/Unix-like systems, allows for an incomplete privilege drop when the `_uid` option is used. When a process with elevated privileges launches a child process with `_uid=\u003cunprivileged user\u003e`, the child process changes its UID and primary GID but fails to reset its supplementary groups. This flaw enables the child process to retain potentially privileged supplementary groups (e.g., root, docker), bypassing intended privilege boundaries and granting access to resources beyond its expected permissions.","title":"Incomplete Privilege Drop in 'sh' Package Allows Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2026-07-sh-uid-incomplete-privilege-drop/"}],"language":"en","title":"CraftedSignal Threat Feed - Sh (\u003c 2.2.4)","version":"https://jsonfeed.org/version/1.1"}