CVE-2026-21882

HighLPE

Published: 02 March 2026

Published

02 March 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0002 5.6th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21882 is a high-severity Execution with Unnecessary Privileges (CWE-250) vulnerability. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-6 Least Privilege good match

prevent

Enforces the principle of least privilege, directly countering the improper privilege dropping and unnecessary privileges (CWEs 250, 269, 273) that enable local escalation in theshit utility during command re-execution.

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and patching of the specific flaw in theshit versions prior to 0.2.0, eliminating the privilege escalation vulnerability as addressed in the GitHub advisory.

CM-7 Least Functionality partial match

prevent

Limits the system to least functionality by restricting or prohibiting unnecessary utilities like theshit, reducing the attack surface for privilege escalation exploits.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Improper privilege dropping in local CLI tool directly enables exploitation for local privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

theshit is a command-line utility that automatically detects and fixes common mistakes in shell commands. Prior to version 0.2.0, improper privilege dropping allows local privilege escalation via command re-execution. This issue has been patched in version 0.2.0.

Deeper analysisAI

CVE-2026-21882 affects theshit, a command-line utility designed to automatically detect and fix common mistakes in shell commands. In versions prior to 0.2.0, the vulnerability stems from improper privilege dropping, which enables local privilege escalation through command re-execution. This flaw is associated with CWEs 250 (Execution with Unnecessary Privileges), 269 (Improper Privilege Management), and 273 (Improper Check for Dropped Privileges), and carries a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for complete confidentiality, integrity, and availability impacts.

A local attacker requires only local access to the system with no special privileges (PR:N) and can exploit the issue with low complexity and no user interaction. By leveraging the improper privilege dropping during command re-execution, the attacker can escalate from an unprivileged account to higher privileges, potentially gaining full control over the system and executing arbitrary code with elevated rights.

The vulnerability has been addressed in theshit version 0.2.0, as detailed in the project's GitHub security advisory (GHSA-2j3p-gqw5-g59j) and the patching commit (5293957b119e55212dce2c6dcbaf1d7eb794602a). Security practitioners should recommend immediate upgrades to the patched version for affected installations to mitigate the risk of local privilege escalation.