Skip to main content

uutils coreutils CVE-2026-35358

| EUVDEUVD-2026-24998 MEDIUM
Use of Incorrectly-Resolved Name or Reference (CWE-706)
4.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.4 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

5
Analysis Generated
Apr 23, 2026 - 07:03 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 16:31 euvd
EUVD-2026-24998
Analysis Generated
Apr 22, 2026 - 16:31 vuln.today
Patch released
Apr 22, 2026 - 16:31 nvd
Patch available
CVE Published
Apr 22, 2026 - 16:08 nvd
MEDIUM 4.4

DescriptionCVE.org

The cp utility in uutils coreutils, when performing recursive copies (-R), incorrectly treats character and block device nodes as stream sources rather than preserving them. Because the implementation reads bytes into regular files at the destination instead of using mknod, device semantics are destroyed (e.g., /dev/null becomes a regular file). This behavior can lead to runtime denial of service through disk exhaustion or process hangs when reading from unbounded device nodes.

AnalysisAI

The cp utility in uutils coreutils versions before 0.7.0 incorrectly handles recursive copy operations (-R flag) by converting character and block device nodes into regular files instead of preserving them via mknod, destroying device semantics and enabling denial of service through disk exhaustion or process hangs when unbounded device nodes are copied.

Technical ContextAI

The cp utility is a core file-copying command that supports recursive directory copying via the -R flag. Device nodes (/dev/null, /dev/zero, /dev/random, etc.) are special files that provide access to kernel device drivers and should be recreated as device nodes at the destination using mknod(2) system calls, preserving their character or block device properties and driver semantics. The uutils coreutils implementation incorrectly treats device nodes as regular stream sources, reading their contents into files at the destination. This violates POSIX cp semantics (CWE-706: Use of Incorrectly-Resolved Name or Reference) where device nodes must maintain their special file type. The issue affects all versions of uutils coreutils before 0.7.0 across all platforms where the cp command is compiled.

RemediationAI

Upgrade uutils coreutils to version 0.7.0 or later, which corrects the recursive copy behavior to properly preserve device nodes. No workaround exists for earlier versions that fully mitigates the risk; however, administrators can reduce exposure by restricting local user access to cp command execution (via sudo rules, AppArmor, or SELinux), avoiding recursive copies of directories containing device nodes, or using GNU coreutils (the reference implementation) as a drop-in replacement if uutils is not required for specific reasons. The patch is available at https://github.com/uutils/coreutils/pull/11163 and official advisory at https://github.com/uutils/coreutils/releases/tag/0.7.0.

CVE-2014-9471 HIGH POC
7.5 Jan 16

The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex

CVE-2026-35368 HIGH
7.8 Apr 22

Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access

CVE-2026-35338 HIGH POC
7.3 Apr 22

Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l

CVE-2026-35341 HIGH POC
7.1 Apr 22

Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f

CVE-2026-35352 HIGH
7.0 Apr 22

Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe

CVE-2026-35349 MEDIUM
6.7 Apr 22

Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi

CVE-2026-35365 MEDIUM
6.6 Apr 22

The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file

CVE-2026-35350 MEDIUM
6.6 Apr 22

The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil

CVE-2026-35374 MEDIUM
6.3 Apr 22

The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local

CVE-2026-35364 MEDIUM
6.3 Apr 22

A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op

CVE-2026-35360 MEDIUM
6.3 Apr 22

The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo

CVE-2026-35356 MEDIUM
6.3 Apr 22

Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker

Share

CVE-2026-35358 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy