PatchSiren cyber security CVE debrief

CVE-2016-7543 Fedoraproject CVE debrief

CVE-2016-7543 describes a local privilege-escalation issue in Bash where crafted SHELLOPTS and PS4 environment variables can be used to execute arbitrary commands with root privileges. The NVD record classifies the issue as HIGH severity and maps affected GNU Bash versions through 4.3, with additional Fedora package streams called out in the corpus.

Vendor: Fedoraproject
Product: CVE-2016-7543
CVSS: HIGH 8.4
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-19
Original CVE updated: 2026-05-13
Advisory published: 2017-01-19
Advisory updated: 2026-05-13

Who should care

Linux administrators, platform teams, and package maintainers who run GNU Bash on shared or multi-user systems should prioritize this issue, especially where untrusted local users may obtain shell access. Fedora, Red Hat, Gentoo, HPE, and other vendors referenced in the corpus may have issued downstream fixes or advisories for affected builds.

Technical summary

The vulnerability is a local command-execution flaw in Bash tied to environment-variable handling, specifically SHELLOPTS and PS4. In the NVD data, the CVSS v3.0 vector is AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating no prior privileges are required beyond local access, but successful abuse can result in full confidentiality, integrity, and availability impact if the shell runs with elevated privileges. The corpus lists GNU Bash through 4.3 as vulnerable and also associates Fedora 23, 24, and 25 package streams with the issue.

Defensive priority

High. The issue requires local access, so it is less urgent than a remotely exploitable flaw, but the root-level impact makes it important on any multi-user Linux environment or host where local logins, automation, or service accounts are present.

Recommended defensive actions

Update Bash to a vendor-fixed release; the corpus indicates affected GNU Bash versions through 4.3 and downstream vendor advisories are available.
Apply the relevant vendor errata or package updates referenced in the corpus for your distribution or appliance.
Inventory systems for Bash versions and affected package streams, including Fedora 23/24/25 and any vendor-repackaged Bash builds.
Prioritize multi-user servers, bastions, and systems where local shell access is possible.
Verify remediation after patching by checking package versions against the vendor advisory for your platform.

Evidence notes

The CVE was published in the official NVD record on 2017-01-19. The supplied corpus includes a 2016-09-26 bug-bash mailing-list reference, multiple vendor advisories, and NVD CPE criteria marking GNU Bash through 4.3 as vulnerable. The weakness is listed as CWE-20, and the CVSS v3.0 vector is AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Official resources

CVE-2016-7543 CVE record
CVE.org
CVE-2016-7543 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]

CVE-2016-7543 was published in the official NVD record on 2017-01-19; the reference corpus also points to an earlier 2016-09-26 mailing-list advisory and later vendor remediation notices.