Severity by source
AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
7DescriptionCVE.org
A vulnerability in the chmod utility of uutils coreutils allows users to bypass the --preserve-root safety mechanism. The implementation only validates if the target path is literally / and does not canonicalize the path. An attacker or accidental user can use path variants such as /../ or symbolic links to execute destructive recursive operations (e.g., chmod -R 000) on the entire root filesystem, leading to system-wide permission loss and potential complete system breakdown.
AnalysisAI
Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing local authenticated users to execute destructive permission changes across the entire root filesystem. The vulnerability stems from incomplete path canonicalization that permits path traversal variants (/../) and symbolic links to circumvent safety checks, potentially causing system-wide denial of service. EPSS score of 0.01% indicates minimal exploitation probability in the wild, with no public exploit code identified and vendor patch available in version 0.6.0.
Technical ContextAI
uutils coreutils is a cross-platform Rust reimplementation of GNU coreutils utilities. The vulnerability (CWE-22: Path Traversal) exists in the chmod utility's --preserve-root implementation, a safety feature designed to prevent accidental recursive operations on the root directory. The flawed implementation performs only literal string comparison against '/' without canonicalizing the input path to its absolute form. This allows attackers to construct semantically equivalent paths using directory traversal sequences (/../) or symbolic links that resolve to root but bypass the string comparison check. Unlike GNU coreutils which performs proper path resolution before validation, the uutils implementation fails to normalize paths, creating a gap between the intended security control and actual behavior.
RemediationAI
Upgrade uutils coreutils to version 0.6.0 or later, which implements proper path canonicalization before --preserve-root validation (vendor advisory: https://github.com/uutils/coreutils/releases/tag/0.6.0, patch details: https://github.com/uutils/coreutils/pull/10033). For systems unable to immediately upgrade, implement compensating controls: restrict chmod execution through sudo policies requiring explicit approval for recursive operations on system directories; deploy file integrity monitoring to detect mass permission changes; utilize SELinux or AppArmor policies to confine chmod operations to non-root filesystem areas. Note that removing --preserve-root from habitual command usage actually increases risk by removing the intended safety check. Validate your environment uses uutils coreutils rather than GNU coreutils before prioritizing remediation, as GNU implementations are unaffected. Organizations using container images or Rust-based toolchains should audit dependency chains for uutils coreutils presence.
The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex
Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access
Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f
Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe
Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi
The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file
The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil
The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local
A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op
The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo
Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker
Time-of-Check to Time-of-Use (TOCTOU) race condition in uutils coreutils install utility allows local authenticated atta
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24963
GHSA-4c7q-4928-8445