Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
5DescriptionCVE.org
A flaw in the ChownExecutor used by uutils coreutils chown and chgrp causes the utilities to return an incorrect exit code during recursive operations. The final exit code is determined only by the last file processed. If the last operation succeeds, the command returns 0 even if earlier ownership or group changes failed due to permission errors. This can lead to security misconfigurations where administrative scripts incorrectly assume that ownership has been successfully transferred across a directory tree.
AnalysisAI
uutils coreutils chown and chgrp utilities return incorrect exit codes during recursive directory operations, masking ownership change failures and allowing administrative scripts to incorrectly assume successful permission transfers. When processing multiple files recursively, the final exit code reflects only the last file's result; if that file succeeds, the command returns 0 even if earlier operations failed due to permission errors. This integrity flaw affects local users with limited privileges on systems running affected versions below 0.6.0, creating risk of security misconfigurations in automated deployment and configuration management scripts.
Technical ContextAI
The vulnerability exists in the ChownExecutor component of uutils coreutils, a Rust-based reimplementation of GNU coreutils utilities. The chown and chgrp commands recursively traverse directory trees to change file ownership or group membership. The root cause (CWE-253: Incorrect Check of Function Return Value) involves the exit code logic failing to aggregate error states across all processed files; only the success or failure of the final file in the traversal is reflected in the return value. This allows partial failures to go undetected, a critical issue when the command is invoked from shell scripts or automation frameworks that rely on exit codes (return value 0 vs. non-zero) to determine operation success. The affected CPE (cpe:2.3:a:uutils:coreutils:*:*:*:*:*:*:*:*) encompasses all versions below 0.6.0.
RemediationAI
Upgrade uutils coreutils to version 0.6.0 or later. This patched version corrects the ChownExecutor exit code logic to properly aggregate failure states across all files processed during recursive operations. The fix is available at https://github.com/uutils/coreutils/releases/tag/0.6.0 and was implemented via PR #10035 (https://github.com/uutils/coreutils/pull/10035). For environments unable to upgrade immediately, implement compensating controls: audit shell scripts and automation that depend on chown/chgrp exit codes, explicitly verify permission changes via stat() or ls -l after running chown/chgrp (e.g., add validation steps in deployment scripts that check actual permissions rather than trusting return codes), and restrict execution of chown/chgrp to trusted administrators via sudo rules, reducing the pool of users who can inadvertently misuse the command. These compensating controls add operational overhead (extra validation steps, slower script execution) but maintain security until patching is feasible.
The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex
Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access
Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l
Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f
Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe
Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi
The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file
The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil
The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local
A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op
The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo
Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker
Same weakness CWE-253 – Incorrect Check of Function Return Value
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24967
GHSA-88ch-q68x-36v7