uutils coreutils CVE-2026-35367

| EUVD-2026-25015 LOW
Incorrect Permission Assignment for Critical Resource (CWE-732)
2026-04-22 canonical GHSA-5hgf-628x-mcqf
Information Disclosure
3.3
CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Apr 23, 2026 - 07:00 vuln.today

DescriptionNVD

The nohup utility in uutils coreutils creates its default output file, nohup.out, without specifying explicit restricted permissions. This causes the file to inherit umask-based permissions, typically resulting in a world-readable file (0644). In multi-user environments, this allows any user on the system to read the captured stdout/stderr output of a command, potentially exposing sensitive information. This behavior diverges from GNU coreutils, which creates nohup.out with owner-only (0600) permissions.

AnalysisAI

The nohup utility in uutils coreutils creates its default output file with world-readable permissions (0644) instead of owner-only (0600), allowing any local user to read captured stdout/stderr and access potentially sensitive information in multi-user systems. This information disclosure vulnerability affects all versions of uutils coreutils and diverges from the secure permission model implemented in GNU coreutils.

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-35367 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy