What is actually CVE-2014-6271? Actually redhat did a very good job describing it: https://access.redhat.com/articles/1200223 From what I’ve understood, it’s basically a bug that allows you in bash to do some other command after the function declaration in a variable. Let’s change the example a little bit, so that it’s more easier to read: env your_function='() { echo "your function do something";}; echo "but I can still add other command after your function"' bash -c "echo this is a test" If you system is affected with the bug, if you run that command, you will see the text “but I can still add other command after your function”.