Severity by source
AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
A vulnerability exists in the chroot utility of uutils coreutils when using the --userspec option. The utility resolves the user specification via getpwnam() after entering the chroot but before dropping root privileges. On glibc-based systems, this can trigger the Name Service Switch (NSS) to load shared libraries (e.g., libnss_*.so.2) from the new root directory. If the NEWROOT is writable by an attacker, they can inject a malicious NSS module to execute arbitrary code as root, facilitating a full container escape or privilege escalation.
AnalysisAI
Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access to the chroot target directory to execute arbitrary code via malicious NSS module injection. The vulnerability triggers when --userspec option causes getpwnam() to load attacker-controlled shared libraries from the new root before dropping privileges, enabling container escape or full system compromise on glibc-based systems. CVSS 7.8 with Scope Changed indicates host compromise from containerized environments. SSVC framework confirms POC availability and total technical impact, though exploitation requires specific configuration (writable NEWROOT) and is not automatable.
Technical ContextAI
The vulnerability affects the chroot implementation in uutils coreutils, a Rust-based reimplementation of GNU coreutils utilities. When the --userspec option is used to change user context, the chroot utility calls getpwnam() to resolve user specifications after chrooting but before dropping root privileges. On glibc-based systems, this triggers the Name Service Switch (NSS) framework to dynamically load shared libraries (libnss_*.so.2 modules) from the new root directory to perform user lookups. The timing vulnerability (CWE-426: Untrusted Search Path) creates a window where NSS modules are loaded with root privileges from attacker-controlled directories. This differs from proper implementations that drop privileges before any untrusted code execution or perform user resolution before entering the chroot jail. The Scope Changed (S:C) in the CVSS vector indicates the vulnerability breaks security boundaries, allowing escape from containerized environments where uutils coreutils might be used instead of GNU coreutils.
RemediationAI
Primary remediation requires upgrading uutils coreutils to a patched version once available-monitor the GitHub issue at https://github.com/uutils/coreutils/issues/10327 and official uutils releases for fix announcements. Until a patch is released, implement the following specific compensating controls: First, ensure all NEWROOT directories used with chroot are owned by root with permissions 0755 or more restrictive, preventing unprivileged write access (verify with 'find /path/to/chroots -type d -perm -002' to identify world-writable directories). Second, avoid using the --userspec option entirely if possible-perform user context changes outside the chroot or use alternative containerization technologies like namespaces with proper user mapping. Third, in containerized environments, replace uutils coreutils with standard GNU coreutils in base images, accepting the trade-off of using C-based rather than memory-safe implementations. Fourth, implement mandatory access control (SELinux/AppArmor) policies that prevent loading shared libraries from user-writable paths even when executed as root, though this adds operational complexity for legitimate NSS module loading. Fifth, audit systems for uutils coreutils usage with 'chroot --version' and inventory where it appears in container images, build pipelines, or system installations.
The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex
Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l
Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f
Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe
Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi
The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file
The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil
The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local
A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op
The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo
Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker
Time-of-Check to Time-of-Use (TOCTOU) race condition in uutils coreutils install utility allows local authenticated atta
Same weakness CWE-426 – Untrusted Search Path
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25016
GHSA-mh5c-xrmh-m794