Cyber Resilience

CVE-2026-21882

HighLPE

Published: 02 March 2026

Published
02 March 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0018 7.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-21882 is a high-severity Execution with Unnecessary Privileges (CWE-250) vulnerability. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 7.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-21882 affects theshit, a command-line utility designed to automatically detect and fix common mistakes in shell commands. In versions prior to 0.2.0, the vulnerability stems from improper privilege dropping, which enables local privilege escalation through command re-execution. This flaw is associated with CWEs 250 (Execution with Unnecessary Privileges), 269 (Improper Privilege Management), and 273 (Improper Check for Dropped Privileges), and carries a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for complete confidentiality, integrity, and availability impacts.

A local attacker requires only local access to the system with no special privileges (PR:N) and can exploit the issue with low complexity and no user interaction. By leveraging the improper privilege dropping during command re-execution, the attacker can escalate from an unprivileged account to higher privileges, potentially gaining full control over the system and executing arbitrary code with elevated rights.

The vulnerability has been addressed in theshit version 0.2.0, as detailed in the project's GitHub security advisory (GHSA-2j3p-gqw5-g59j) and the patching commit (5293957b119e55212dce2c6dcbaf1d7eb794602a). Security practitioners should recommend immediate upgrades to the patched version for affected installations to mitigate the risk of local privilege escalation.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

theshit is a command-line utility that automatically detects and fixes common mistakes in shell commands. Prior to version 0.2.0, improper privilege dropping allows local privilege escalation via command re-execution. This issue has been patched in version 0.2.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Improper privilege dropping in local CLI tool directly enables exploitation for local privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-23896Shared CWE-269
CVE-2025-0893Shared CWE-269
CVE-2025-2858Shared CWE-269
CVE-2026-31368Shared CWE-269
CVE-2026-21983Shared CWE-269
CVE-2024-49742Shared CWE-269
CVE-2026-1993Shared CWE-269
CVE-2026-29124Shared CWE-269
CVE-2026-29923Shared CWE-269
CVE-2024-47770Shared CWE-269

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces the principle of least privilege, directly countering the improper privilege dropping and unnecessary privileges (CWEs 250, 269, 273) that enable local escalation in theshit utility during command re-execution.

prevent

Requires timely identification, reporting, and patching of the specific flaw in theshit versions prior to 0.2.0, eliminating the privilege escalation vulnerability as addressed in the GitHub advisory.

prevent

Limits the system to least functionality by restricting or prohibiting unnecessary utilities like theshit, reducing the attack surface for privilege escalation exploits.

References