OpenClaw, Incomplete Fix for Process Termination, CVE-2026-27486 (Medium)

Listen to this Post

The vulnerability stems from an incomplete fix for CVE-2026-27486. While the original patch introduced a graceful shutdown sequence in `src/process/kill-tree.ts` (sending SIGTERM, waiting a grace period, then escalating to SIGKILL), a pre-patch copy of the `killProcessTree` function remained in `src/agents/shell-utils.ts` (lines 170–192). This function sends SIGKILL immediately without any SIGTERM attempt. The `!stop` chat command handler in `src/auto-reply/reply/bash-command.ts` imports and calls this vulnerable version instead of the patched one. Specifically, at line 302, it executes `killProcessTree(pid)` from shell-utils.ts, leading to an instant hard kill. A Proof of Concept (PoC) demonstrates the difference: running a bash process that traps SIGTERM, the vulnerable path sends only SIGKILL, preventing graceful shutdown, while the patched path sends SIGTERM first, allowing cleanup.

dailycve form:

Platform: OpenClaw
Version: <= 2026.3.14
Vulnerability: Incomplete Fix
Severity: Medium
date: 2026-03-31

Prediction: Patched in 2026.3.24

What Undercode Say:

Vulnerable function in src/agents/shell-utils.ts
export function killProcessTree(pid: number): void {
try {
process.kill(-pid, "SIGKILL");
} catch {
try {
process.kill(pid, "SIGKILL");
} catch {}
}
}
Patched function in src/process/kill-tree.ts
function killProcessTreeUnix(pid: number, graceMs: number): void {
try { process.kill(-pid, "SIGTERM"); } catch {}
setTimeout(() => {
if (isProcessAlive(-pid)) {
try { process.kill(-pid, "SIGKILL"); } catch {}
}
}, graceMs).unref();
}
Run vulnerable exploit PoC
node exploit_sigkill.cjs

Exploit:

The exploit uses the exact logic from shell-utils.ts, sending SIGKILL to a process group without a SIGTERM grace period, as demonstrated in the provided PoC script.

Protection from this CVE

Upgrade to OpenClaw version 2026.3.24 or later, where the `!stop` command correctly imports the patched `killProcessTree` from src/process/kill-tree.ts.

Impact

Data corruption, resource leaks, and bypassed security-sensitive cleanup due to immediate process termination without graceful shutdown.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top