Skip to main content

uutils coreutils CVE-2026-35340

| EUVDEUVD-2026-24967 MEDIUM
Incorrect Check of Function Return Value (CWE-253)
2026-04-22 canonical GHSA-88ch-q68x-36v7
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

5
Analysis Generated
Apr 23, 2026 - 00:18 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 16:31 euvd
EUVD-2026-24967
Analysis Generated
Apr 22, 2026 - 16:31 vuln.today
Patch released
Apr 22, 2026 - 16:31 nvd
Patch available
CVE Published
Apr 22, 2026 - 16:07 nvd
MEDIUM 5.5

DescriptionCVE.org

A flaw in the ChownExecutor used by uutils coreutils chown and chgrp causes the utilities to return an incorrect exit code during recursive operations. The final exit code is determined only by the last file processed. If the last operation succeeds, the command returns 0 even if earlier ownership or group changes failed due to permission errors. This can lead to security misconfigurations where administrative scripts incorrectly assume that ownership has been successfully transferred across a directory tree.

AnalysisAI

uutils coreutils chown and chgrp utilities return incorrect exit codes during recursive directory operations, masking ownership change failures and allowing administrative scripts to incorrectly assume successful permission transfers. When processing multiple files recursively, the final exit code reflects only the last file's result; if that file succeeds, the command returns 0 even if earlier operations failed due to permission errors. This integrity flaw affects local users with limited privileges on systems running affected versions below 0.6.0, creating risk of security misconfigurations in automated deployment and configuration management scripts.

Technical ContextAI

The vulnerability exists in the ChownExecutor component of uutils coreutils, a Rust-based reimplementation of GNU coreutils utilities. The chown and chgrp commands recursively traverse directory trees to change file ownership or group membership. The root cause (CWE-253: Incorrect Check of Function Return Value) involves the exit code logic failing to aggregate error states across all processed files; only the success or failure of the final file in the traversal is reflected in the return value. This allows partial failures to go undetected, a critical issue when the command is invoked from shell scripts or automation frameworks that rely on exit codes (return value 0 vs. non-zero) to determine operation success. The affected CPE (cpe:2.3:a:uutils:coreutils:*:*:*:*:*:*:*:*) encompasses all versions below 0.6.0.

RemediationAI

Upgrade uutils coreutils to version 0.6.0 or later. This patched version corrects the ChownExecutor exit code logic to properly aggregate failure states across all files processed during recursive operations. The fix is available at https://github.com/uutils/coreutils/releases/tag/0.6.0 and was implemented via PR #10035 (https://github.com/uutils/coreutils/pull/10035). For environments unable to upgrade immediately, implement compensating controls: audit shell scripts and automation that depend on chown/chgrp exit codes, explicitly verify permission changes via stat() or ls -l after running chown/chgrp (e.g., add validation steps in deployment scripts that check actual permissions rather than trusting return codes), and restrict execution of chown/chgrp to trusted administrators via sudo rules, reducing the pool of users who can inadvertently misuse the command. These compensating controls add operational overhead (extra validation steps, slower script execution) but maintain security until patching is feasible.

CVE-2014-9471 HIGH POC
7.5 Jan 16

The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex

CVE-2026-35368 HIGH
7.8 Apr 22

Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access

CVE-2026-35338 HIGH POC
7.3 Apr 22

Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l

CVE-2026-35341 HIGH POC
7.1 Apr 22

Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f

CVE-2026-35352 HIGH
7.0 Apr 22

Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe

CVE-2026-35349 MEDIUM
6.7 Apr 22

Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi

CVE-2026-35365 MEDIUM
6.6 Apr 22

The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file

CVE-2026-35350 MEDIUM
6.6 Apr 22

The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil

CVE-2026-35374 MEDIUM
6.3 Apr 22

The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local

CVE-2026-35364 MEDIUM
6.3 Apr 22

A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op

CVE-2026-35360 MEDIUM
6.3 Apr 22

The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo

CVE-2026-35356 MEDIUM
6.3 Apr 22

Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker

Share

CVE-2026-35340 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy