Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Lifecycle Timeline
5DescriptionCVE.org
The mv utility in uutils coreutils improperly handles directory trees containing symbolic links during moves across filesystem boundaries. Instead of preserving symlinks, the implementation expands them, copying the linked targets as real files or directories at the destination. This can lead to resource exhaustion (disk space or time) if symlinks point to large external directories, unexpected duplication of sensitive data into unintended locations, or infinite recursion and repeated copying in the presence of symlink loops.
AnalysisAI
The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across filesystem boundaries, allowing local authenticated users to trigger resource exhaustion via disk space consumption, disclose sensitive data through unexpected file duplication, or cause denial of service through infinite symlink loop recursion. Affected versions prior to 0.7.0 are vulnerable; a vendor-released patch is available.
Technical ContextAI
The uutils coreutils project is a Rust-based reimplementation of GNU coreutils utilities. The mv command is responsible for moving or renaming files and directories. The vulnerability exists in the symlink handling logic during cross-filesystem move operations (typically implemented via copy-then-delete when the source and destination reside on different filesystems). The implementation fails to detect and preserve symbolic links as-is, instead following symlink targets and recursively copying their contents. This violates POSIX semantics for mv, which should treat symlinks as atomic objects. The root cause (CWE-59: Improper Link Resolution Before File Access) manifests as the utility resolving symlink targets during traversal without verifying whether the link itself should be moved rather than its target dereferenced.
RemediationAI
Upgrade uutils coreutils to version 0.7.0 or later, which includes the vendor-released patch correcting symlink preservation during cross-filesystem moves. Users unable to upgrade immediately should avoid using mv to relocate directories containing untrusted symlinks across filesystem boundaries; instead, use alternative approaches such as cp with the -P flag (preserve symlinks) followed by rm, or restrict the operation to trusted directory trees. If moving user-supplied directory structures is unavoidable, validate that no symlinks exist in the source tree (via find -type l) before initiating the move. Note that workarounds incur operational friction and should be temporary; upgrading to 0.7.0 is the primary remediation. The patch is confirmed available from the vendor; no downstream delays are reported.
The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex
Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access
Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l
Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f
Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe
Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi
The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil
The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local
A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op
The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo
Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker
Time-of-Check to Time-of-Use (TOCTOU) race condition in uutils coreutils install utility allows local authenticated atta
Same weakness CWE-59 – Improper Link Resolution Before File Access
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25012
GHSA-66fx-fqv6-5wwx