Skip to main content

uutils coreutils CVE-2026-35367

| EUVDEUVD-2026-25015 LOW
Incorrect Permission Assignment for Critical Resource (CWE-732)
2026-04-22 canonical GHSA-5hgf-628x-mcqf
3.3
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.3 LOW
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 23, 2026 - 07:00 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 16:31 euvd
EUVD-2026-25015
Analysis Generated
Apr 22, 2026 - 16:31 vuln.today
CVE Published
Apr 22, 2026 - 16:08 nvd
LOW 3.3

DescriptionCVE.org

The nohup utility in uutils coreutils creates its default output file, nohup.out, without specifying explicit restricted permissions. This causes the file to inherit umask-based permissions, typically resulting in a world-readable file (0644). In multi-user environments, this allows any user on the system to read the captured stdout/stderr output of a command, potentially exposing sensitive information. This behavior diverges from GNU coreutils, which creates nohup.out with owner-only (0600) permissions.

AnalysisAI

The nohup utility in uutils coreutils creates its default output file with world-readable permissions (0644) instead of owner-only (0600), allowing any local user to read captured stdout/stderr and access potentially sensitive information in multi-user systems. This information disclosure vulnerability affects all versions of uutils coreutils and diverges from the secure permission model implemented in GNU coreutils.

Technical ContextAI

The nohup utility is a POSIX-standard command that allows processes to continue running after the user logs out by redirecting output to a file (typically nohup.out). uutils coreutils is a Rust-based reimplementation of GNU coreutils. The vulnerability stems from CWE-732 (Incorrect Permission Assignment for Critical Resource): when nohup.out is created, the code fails to explicitly set restrictive file permissions via chmod() or umask manipulation, causing the file to inherit default umask-based permissions. In typical Linux environments with default umask 0022, this results in 0644 permissions (rw-r--r--). In contrast, GNU coreutils explicitly creates nohup.out with 0600 permissions (rw-------), restricting read access to the file owner only. This is a permission-based information disclosure affecting any process output redirected to nohup.out on systems running uutils coreutils.

RemediationAI

Upgrade to a patched version of uutils coreutils that explicitly sets nohup.out file permissions to 0600 at creation time. The exact patched version should be obtained from the uutils coreutils project releases. As a temporary compensating control in multi-user environments, system administrators can: (1) Configure global umask to 0077 (restrictive default), which will cause nohup.out to inherit 0600 permissions automatically-note this affects all file creation on the system and may break applications expecting world-readable files; (2) Manually post-create each nohup.out file with chmod 0600 nohup.out immediately after process start; (3) Restrict nohup usage via sudo rules or filesystem-level access controls to trusted users only; (4) Educate users to avoid redirecting sensitive output to nohup.out or use alternative logging mechanisms with explicit permission controls. The preferred fix is upgrading to the patched uutils coreutils version. Consult https://nvd.nist.gov/vuln/detail/CVE-2026-35367 and the uutils coreutils GitHub repository for patch release information.

CVE-2014-9471 HIGH POC
7.5 Jan 16

The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex

CVE-2026-35368 HIGH
7.8 Apr 22

Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access

CVE-2026-35338 HIGH POC
7.3 Apr 22

Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l

CVE-2026-35341 HIGH POC
7.1 Apr 22

Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f

CVE-2026-35352 HIGH
7.0 Apr 22

Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe

CVE-2026-35349 MEDIUM
6.7 Apr 22

Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi

CVE-2026-35365 MEDIUM
6.6 Apr 22

The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file

CVE-2026-35350 MEDIUM
6.6 Apr 22

The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil

CVE-2026-35374 MEDIUM
6.3 Apr 22

The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local

CVE-2026-35364 MEDIUM
6.3 Apr 22

A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op

CVE-2026-35360 MEDIUM
6.3 Apr 22

The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo

CVE-2026-35356 MEDIUM
6.3 Apr 22

Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker

Share

CVE-2026-35367 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy