CVE-2026-21882
Local Privilege Escalation in theshit Utility via Improper Privilege Dropping
Publication date: 2026-03-02
Last updated on: 2026-03-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| asfhtgkdavid | theshit | to 0.2.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-273 | The product attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded. |
| CWE-250 | The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses. |
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include:'}, {'type': 'list_item', 'content': 'Avoid running the "theshit" utility with sudo or root privileges.'}, {'type': 'list_item', 'content': 'Remove or restrict "theshit" usage in sudoers configurations, especially those with NOPASSWD options.'}, {'type': 'list_item', 'content': 'Upgrade the "theshit" utility to version 0.2.0 or later, where the vulnerability has been patched by properly resetting effective user and group IDs before command retries.'}, {'type': 'paragraph', 'content': 'These steps prevent the improper privilege dropping issue that allows local privilege escalation.'}] [1]
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-21882 is a Local Privilege Escalation vulnerability in the Rust package "theshit" versions prior to 0.2.0. The issue arises because the tool improperly drops elevated privileges when retrying failed shell commands. When run with root or sudo privileges, the tool records the last command and reruns it without reverting to the original unprivileged user context. This means that a retried command executes with root privileges even if originally issued by a non-privileged user.'}, {'type': 'paragraph', 'content': 'This flaw allows a local attacker to intentionally trigger a failed command under elevated privileges and gain arbitrary root command execution through the retry mechanism. The vulnerability is caused by failure to properly reset the effective user and group IDs before re-executing commands.'}, {'type': 'paragraph', 'content': 'The issue has been fixed in version 0.2.0 by explicitly resetting the effective UID and GID to the original invoking user before retrying commands, ensuring proper privilege management.'}] [1]
How can this vulnerability impact me? :
This vulnerability can allow a local attacker to escalate their privileges to root on a system where the vulnerable version of the tool is run with elevated privileges, such as via sudo or as root.
An attacker can exploit the retry mechanism to execute arbitrary commands with root privileges, potentially leading to full system compromise.
- Confidentiality impact: High - attacker can access sensitive data.
- Integrity impact: High - attacker can modify system files or configurations.
- Availability impact: High - attacker can disrupt system availability.
The vulnerability is especially dangerous in environments where the tool is configured with sudo NOPASSWD, allowing privilege escalation without additional user interaction.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the vulnerable version of the "theshit" utility (prior to 0.2.0) is installed and used with elevated privileges such as sudo or root.'}, {'type': 'paragraph', 'content': 'A practical detection method involves verifying if the tool is run with sudo or root and if it improperly re-executes commands with elevated privileges.'}, {'type': 'paragraph', 'content': 'One can test for the vulnerability by attempting to create a root-owned file via the retry mechanism using the environment variable SH_PREV_CMD. For example, running the following command with sudo can demonstrate the issue:'}, {'type': 'list_item', 'content': "sudo SH_PREV_CMD='touch /root/proof_of_lpe' theshit"}, {'type': 'paragraph', 'content': 'If the file /root/proof_of_lpe is created with root ownership, the system is vulnerable.'}, {'type': 'paragraph', 'content': 'Additionally, checking sudoers configurations for NOPASSWD entries that allow running theshit with elevated privileges can help identify risk.'}] [1]