Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
5DescriptionCVE.org
The recursive mode (-R) of the chmod utility in uutils coreutils incorrectly handles exit codes when processing multiple files. The final return value is determined solely by the success or failure of the last file processed. This allows the command to return an exit code of 0 (success) even if errors were encountered on previous files, such as 'Operation not permitted'. Scripts relying on these exit codes may proceed under a false sense of success while sensitive files remain with restrictive or incorrect permissions.
AnalysisAI
The chmod utility in uutils coreutils versions prior to 0.6.0 incorrectly reports success (exit code 0) when recursively processing multiple files, even if permission changes fail on earlier files due to access restrictions or other errors. This causes scripts and automation to proceed under a false assumption that all files were modified correctly, potentially leaving sensitive files with unintended or restrictive permissions.
Technical ContextAI
The chmod utility is a core file permission management tool that supports recursive directory traversal via the -R flag. The vulnerability stems from a logic error in exit code aggregation (CWE-253: Incorrect Check of Function Return Value), where the final exit status reflects only the outcome of the last file processed rather than accumulating or reporting the worst-case error encountered. In properly designed utilities, exit codes should reflect aggregate success or the first/most critical error. The affected coreutils library is a cross-platform reimplementation of Unix core utilities in Rust, and the bug affects the command-line chmod interface when invoked with recursive mode.
RemediationAI
Upgrade uutils coreutils to version 0.6.0 or later, which includes the fix to properly aggregate exit codes across all files processed in recursive mode. Organizations using uutils coreutils should verify their package sources and dependency declarations. For immediate mitigation prior to upgrade, scripts relying on chmod exit codes should be modified to add explicit permission verification steps: after invoking chmod -R, run a secondary find or stat command to confirm that all intended files have the correct permissions, treating any discrepancies as a failure condition. This workaround adds performance overhead and complexity but ensures that permission enforcement is not bypassed by the exit code bug. No alternative mode or configuration flag can disable this vulnerability-upgrade is the only reliable fix.
The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex
Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access
Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l
Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f
Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe
Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi
The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file
The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil
The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local
A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op
The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo
Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker
Same weakness CWE-253 – Incorrect Check of Function Return Value
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24965
GHSA-4x34-chg5-mwjj