Skip to main content

uutils coreutils CVE-2026-35338

| EUVDEUVD-2026-24963 HIGH
Path Traversal (CWE-22)
7.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Updated
Apr 27, 2026 - 12:43 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 27, 2026 - 12:37 vuln.today
cvss_changed
Analysis Generated
Apr 23, 2026 - 00:16 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 16:31 euvd
EUVD-2026-24963
Analysis Generated
Apr 22, 2026 - 16:31 vuln.today
Patch released
Apr 22, 2026 - 16:31 nvd
Patch available
CVE Published
Apr 22, 2026 - 16:07 nvd
HIGH 7.3

DescriptionCVE.org

A vulnerability in the chmod utility of uutils coreutils allows users to bypass the --preserve-root safety mechanism. The implementation only validates if the target path is literally / and does not canonicalize the path. An attacker or accidental user can use path variants such as /../ or symbolic links to execute destructive recursive operations (e.g., chmod -R 000) on the entire root filesystem, leading to system-wide permission loss and potential complete system breakdown.

AnalysisAI

Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing local authenticated users to execute destructive permission changes across the entire root filesystem. The vulnerability stems from incomplete path canonicalization that permits path traversal variants (/../) and symbolic links to circumvent safety checks, potentially causing system-wide denial of service. EPSS score of 0.01% indicates minimal exploitation probability in the wild, with no public exploit code identified and vendor patch available in version 0.6.0.

Technical ContextAI

uutils coreutils is a cross-platform Rust reimplementation of GNU coreutils utilities. The vulnerability (CWE-22: Path Traversal) exists in the chmod utility's --preserve-root implementation, a safety feature designed to prevent accidental recursive operations on the root directory. The flawed implementation performs only literal string comparison against '/' without canonicalizing the input path to its absolute form. This allows attackers to construct semantically equivalent paths using directory traversal sequences (/../) or symbolic links that resolve to root but bypass the string comparison check. Unlike GNU coreutils which performs proper path resolution before validation, the uutils implementation fails to normalize paths, creating a gap between the intended security control and actual behavior.

RemediationAI

Upgrade uutils coreutils to version 0.6.0 or later, which implements proper path canonicalization before --preserve-root validation (vendor advisory: https://github.com/uutils/coreutils/releases/tag/0.6.0, patch details: https://github.com/uutils/coreutils/pull/10033). For systems unable to immediately upgrade, implement compensating controls: restrict chmod execution through sudo policies requiring explicit approval for recursive operations on system directories; deploy file integrity monitoring to detect mass permission changes; utilize SELinux or AppArmor policies to confine chmod operations to non-root filesystem areas. Note that removing --preserve-root from habitual command usage actually increases risk by removing the intended safety check. Validate your environment uses uutils coreutils rather than GNU coreutils before prioritizing remediation, as GNU implementations are unaffected. Organizations using container images or Rust-based toolchains should audit dependency chains for uutils coreutils presence.

CVE-2014-9471 HIGH POC
7.5 Jan 16

The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex

CVE-2026-35368 HIGH
7.8 Apr 22

Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access

CVE-2026-35341 HIGH POC
7.1 Apr 22

Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f

CVE-2026-35352 HIGH
7.0 Apr 22

Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe

CVE-2026-35349 MEDIUM
6.7 Apr 22

Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi

CVE-2026-35365 MEDIUM
6.6 Apr 22

The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file

CVE-2026-35350 MEDIUM
6.6 Apr 22

The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil

CVE-2026-35374 MEDIUM
6.3 Apr 22

The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local

CVE-2026-35364 MEDIUM
6.3 Apr 22

A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op

CVE-2026-35360 MEDIUM
6.3 Apr 22

The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo

CVE-2026-35356 MEDIUM
6.3 Apr 22

Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker

CVE-2026-35355 MEDIUM
6.3 Apr 22

Time-of-Check to Time-of-Use (TOCTOU) race condition in uutils coreutils install utility allows local authenticated atta

Share

CVE-2026-35338 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy