Listen to this Post
The vulnerability stems from an incomplete fix for CVE-2026-27486. While the original patch introduced a graceful shutdown sequence in `src/process/kill-tree.ts` (sending SIGTERM, waiting a grace period, then escalating to SIGKILL), a pre-patch copy of the `killProcessTree` function remained in `src/agents/shell-utils.ts` (lines 170–192). This function sends SIGKILL immediately without any SIGTERM attempt. The `!stop` chat command handler in `src/auto-reply/reply/bash-command.ts` imports and calls this vulnerable version instead of the patched one. Specifically, at line 302, it executes `killProcessTree(pid)` from shell-utils.ts, leading to an instant hard kill. A Proof of Concept (PoC) demonstrates the difference: running a bash process that traps SIGTERM, the vulnerable path sends only SIGKILL, preventing graceful shutdown, while the patched path sends SIGTERM first, allowing cleanup.
dailycve form:
Platform: OpenClaw
Version: <= 2026.3.14
Vulnerability: Incomplete Fix
Severity: Medium
date: 2026-03-31
Prediction: Patched in 2026.3.24
What Undercode Say:
Vulnerable function in src/agents/shell-utils.ts
export function killProcessTree(pid: number): void {
try {
process.kill(-pid, "SIGKILL");
} catch {
try {
process.kill(pid, "SIGKILL");
} catch {}
}
}
Patched function in src/process/kill-tree.ts
function killProcessTreeUnix(pid: number, graceMs: number): void {
try { process.kill(-pid, "SIGTERM"); } catch {}
setTimeout(() => {
if (isProcessAlive(-pid)) {
try { process.kill(-pid, "SIGKILL"); } catch {}
}
}, graceMs).unref();
}
Run vulnerable exploit PoC
node exploit_sigkill.cjs
Exploit:
The exploit uses the exact logic from shell-utils.ts, sending SIGKILL to a process group without a SIGTERM grace period, as demonstrated in the provided PoC script.
Protection from this CVE
Upgrade to OpenClaw version 2026.3.24 or later, where the `!stop` command correctly imports the patched `killProcessTree` from src/process/kill-tree.ts.
Impact
Data corruption, resource leaks, and bypassed security-sensitive cleanup due to immediate process termination without graceful shutdown.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

