Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Lifecycle Timeline
4DescriptionCVE.org
The cp utility in uutils coreutils fails to properly handle setuid and setgid bits when ownership preservation fails. When copying with the -p (preserve) flag, the utility applies the source mode bits even if the chown operation is unsuccessful. This can result in a user-owned copy retaining original privileged bits, creating unexpected privileged executables that violate local security policies. This differs from GNU cp, which clears these bits when ownership cannot be preserved.
AnalysisAI
The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during file copying with the -p flag, potentially creating unprivileged user-owned files that retain elevated privilege bits and violate security policies. This behavior diverges from GNU cp, which strips these bits when ownership preservation fails. Local users with write access to directories can exploit this to create unexpected privileged executables.
Technical ContextAI
The cp utility's -p (preserve) flag is designed to retain file metadata including ownership, permissions, and special mode bits (setuid, setgid, sticky). The vulnerability lies in uutils coreutils' handling of the privilege bits during the two-phase copy process: first copying file contents and applying permissions, then attempting to change ownership via chown(). When chown() fails (typically due to insufficient privileges to change file ownership to the original owner), GNU cp correctly strips setuid and setgid bits to prevent privilege escalation, while uutils coreutils incorrectly applies the source mode bits unconditionally. This is rooted in CWE-281 (Improper Preservation of Permissions), where the utility fails to adjust privilege attributes when the underlying precondition (successful ownership change) is not met. The issue affects all versions of uutils coreutils that implement the cp command with the -p preservation feature.
RemediationAI
The primary remediation is to upgrade to a patched version of uutils coreutils once released by the maintainers. Check the GitHub repository at https://github.com/uutils/coreutils/issues/9750 for availability of a fix version. As a temporary workaround on systems that require uutils coreutils, avoid using the -p flag when copying files that may have setuid or setgid bits set, or use the GNU coreutils cp utility instead if available. For administrators unable to replace uutils coreutils immediately, restrict filesystem permissions to prevent unprivileged users from creating or manipulating files in directories where sensitive binaries are copied, and monitor for unexpected setuid/setgid executables using find commands such as 'find / -perm /6000 -type f' to detect privilege bit anomalies. Note that these workarounds reduce functionality or require environment changes; the definitive fix is to deploy a corrected version of uutils coreutils that strips privilege bits when chown fails, matching GNU cp behavior.
The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex
Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access
Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l
Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f
Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe
Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi
The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file
The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local
A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op
The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo
Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker
Time-of-Check to Time-of-Use (TOCTOU) race condition in uutils coreutils install utility allows local authenticated atta
Same weakness CWE-281 – Improper Preservation of Permissions
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24982