<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Sh (&lt; 2.2.4) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/sh--2.2.4/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 17 Jul 2026 18:44:10 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/sh--2.2.4/feed.xml" rel="self" type="application/rss+xml"/><item><title>Incomplete Privilege Drop in 'sh' Package Allows Privilege Escalation</title><link>https://feed.craftedsignal.io/briefs/2026-07-sh-uid-incomplete-privilege-drop/</link><pubDate>Fri, 17 Jul 2026 18:44:10 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-sh-uid-incomplete-privilege-drop/</guid><description>A vulnerability in the 'sh' package, affecting Linux/Unix-like systems, allows for an incomplete privilege drop when the `_uid` option is used. When a process with elevated privileges launches a child process with `_uid=&lt;unprivileged user&gt;`, the child process changes its UID and primary GID but fails to reset its supplementary groups. This flaw enables the child process to retain potentially privileged supplementary groups (e.g., root, docker), bypassing intended privilege boundaries and granting access to resources beyond its expected permissions.</description><content:encoded><![CDATA[<p>A high-severity vulnerability (CVE-2026-54552) has been identified in the <code>sh</code> package, versioned prior to 2.2.4, impacting Linux/Unix-like operating systems. This flaw, dubbed an &quot;incomplete privilege drop,&quot; occurs when a process with elevated privileges executes <code>sh</code> using the <code>_uid</code> option to launch a command as an unprivileged user. While the child <code>sh</code> process correctly changes its User ID (UID) and primary Group ID (GID) to that of the specified unprivileged user, it critically fails to drop the supplementary groups inherited from its privileged parent process. This oversight allows the ostensibly unprivileged child process to retain access to resources and permissions associated with potentially privileged supplementary groups, such as <code>root</code>, <code>docker</code>, <code>disk</code>, <code>shadow</code>, or <code>sudo</code>. This bypasses intended security boundaries, enabling a local attacker to escalate privileges or access restricted files and functionalities, particularly if the <code>_uid</code> option was relied upon for privilege separation.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to a Linux/Unix-like system with some level of user privileges.</li>
<li>The attacker identifies a privileged process (e.g., a system service, a script executed by root) that utilizes the <code>sh</code> package and its <code>_uid</code> option to execute commands.</li>
<li>The privileged parent process executes a command via <code>sh</code> with <code>_uid=&lt;unprivileged user&gt;</code>, intending to restrict the command's execution context.</li>
<li>The <code>sh</code> package initiates a child process, which correctly changes its User ID (UID) and primary Group ID (GID) to that of the specified unprivileged user.</li>
<li>Due to the vulnerability, the child process does not fully reset its supplementary group list and inherits some or all of the privileged supplementary groups from the parent process.</li>
<li>The attacker, operating within the context of this unprivileged child process, can now leverage the retained privileged supplementary groups to access files or resources that would normally be inaccessible to the unprivileged user.</li>
<li>This allows the attacker to escalate privileges or perform actions beyond the intended scope of the unprivileged user, potentially leading to full system compromise.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The vulnerability allows for local privilege escalation on Linux/Unix-like systems where the <code>sh</code> package (versions prior to 2.2.4) is used in conjunction with the <code>_uid</code> option from a privileged parent process. Organizations that deploy applications or services relying on <code>_uid</code> for privilege separation are directly impacted. An attacker exploiting this flaw can gain unauthorized access to sensitive files, directories, or system functions by inheriting privileged supplementary groups such as <code>root</code>, <code>docker</code>, <code>shadow</code>, or <code>sudo</code>. This subversion of privilege boundaries can lead to data exfiltration, system compromise, or further lateral movement within the network. There is no specific number of victims or targeted sectors mentioned, but any environment utilizing the vulnerable <code>sh</code> package in this manner is at risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade the <code>pip/sh</code> package to version 2.2.4 or newer to patch CVE-2026-54552 immediately.</li>
<li>As a workaround, avoid using the <code>_uid</code> option in the <code>sh</code> package when the intended user is a less-privileged user and the parent process has elevated privileges, until the patch can be applied.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>privilege-escalation</category><category>vulnerability</category><category>linux</category></item></channel></rss>