Skip to main content

uutils coreutils CVE-2026-35350

| EUVDEUVD-2026-24982 MEDIUM
Improper Preservation of Permissions (CWE-281)
2026-04-22 canonical
6.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.6 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Apr 23, 2026 - 07:03 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 16:31 euvd
EUVD-2026-24982
Analysis Generated
Apr 22, 2026 - 16:31 vuln.today
CVE Published
Apr 22, 2026 - 16:08 nvd
MEDIUM 6.6

DescriptionCVE.org

The cp utility in uutils coreutils fails to properly handle setuid and setgid bits when ownership preservation fails. When copying with the -p (preserve) flag, the utility applies the source mode bits even if the chown operation is unsuccessful. This can result in a user-owned copy retaining original privileged bits, creating unexpected privileged executables that violate local security policies. This differs from GNU cp, which clears these bits when ownership cannot be preserved.

AnalysisAI

The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during file copying with the -p flag, potentially creating unprivileged user-owned files that retain elevated privilege bits and violate security policies. This behavior diverges from GNU cp, which strips these bits when ownership preservation fails. Local users with write access to directories can exploit this to create unexpected privileged executables.

Technical ContextAI

The cp utility's -p (preserve) flag is designed to retain file metadata including ownership, permissions, and special mode bits (setuid, setgid, sticky). The vulnerability lies in uutils coreutils' handling of the privilege bits during the two-phase copy process: first copying file contents and applying permissions, then attempting to change ownership via chown(). When chown() fails (typically due to insufficient privileges to change file ownership to the original owner), GNU cp correctly strips setuid and setgid bits to prevent privilege escalation, while uutils coreutils incorrectly applies the source mode bits unconditionally. This is rooted in CWE-281 (Improper Preservation of Permissions), where the utility fails to adjust privilege attributes when the underlying precondition (successful ownership change) is not met. The issue affects all versions of uutils coreutils that implement the cp command with the -p preservation feature.

RemediationAI

The primary remediation is to upgrade to a patched version of uutils coreutils once released by the maintainers. Check the GitHub repository at https://github.com/uutils/coreutils/issues/9750 for availability of a fix version. As a temporary workaround on systems that require uutils coreutils, avoid using the -p flag when copying files that may have setuid or setgid bits set, or use the GNU coreutils cp utility instead if available. For administrators unable to replace uutils coreutils immediately, restrict filesystem permissions to prevent unprivileged users from creating or manipulating files in directories where sensitive binaries are copied, and monitor for unexpected setuid/setgid executables using find commands such as 'find / -perm /6000 -type f' to detect privilege bit anomalies. Note that these workarounds reduce functionality or require environment changes; the definitive fix is to deploy a corrected version of uutils coreutils that strips privilege bits when chown fails, matching GNU cp behavior.

CVE-2014-9471 HIGH POC
7.5 Jan 16

The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex

CVE-2026-35368 HIGH
7.8 Apr 22

Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access

CVE-2026-35338 HIGH POC
7.3 Apr 22

Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l

CVE-2026-35341 HIGH POC
7.1 Apr 22

Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f

CVE-2026-35352 HIGH
7.0 Apr 22

Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe

CVE-2026-35349 MEDIUM
6.7 Apr 22

Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi

CVE-2026-35365 MEDIUM
6.6 Apr 22

The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file

CVE-2026-35374 MEDIUM
6.3 Apr 22

The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local

CVE-2026-35364 MEDIUM
6.3 Apr 22

A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op

CVE-2026-35360 MEDIUM
6.3 Apr 22

The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo

CVE-2026-35356 MEDIUM
6.3 Apr 22

Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker

CVE-2026-35355 MEDIUM
6.3 Apr 22

Time-of-Check to Time-of-Use (TOCTOU) race condition in uutils coreutils install utility allows local authenticated atta

Share

CVE-2026-35350 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy