Skip to main content

uutils coreutils CVE-2026-35368

| EUVDEUVD-2026-25016 HIGH
Untrusted Search Path (CWE-426)
2026-04-22 canonical GHSA-mh5c-xrmh-m794
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 24, 2026 - 19:22 vuln.today
cvss_changed
Analysis Generated
Apr 23, 2026 - 06:49 vuln.today
CVSS changed
Apr 22, 2026 - 17:22 NVD
7.2 (HIGH) 7.8 (HIGH)
EUVD ID Assigned
Apr 22, 2026 - 16:31 euvd
EUVD-2026-25016
Analysis Generated
Apr 22, 2026 - 16:31 vuln.today
CVE Published
Apr 22, 2026 - 16:08 nvd
HIGH 7.8

DescriptionCVE.org

A vulnerability exists in the chroot utility of uutils coreutils when using the --userspec option. The utility resolves the user specification via getpwnam() after entering the chroot but before dropping root privileges. On glibc-based systems, this can trigger the Name Service Switch (NSS) to load shared libraries (e.g., libnss_*.so.2) from the new root directory. If the NEWROOT is writable by an attacker, they can inject a malicious NSS module to execute arbitrary code as root, facilitating a full container escape or privilege escalation.

AnalysisAI

Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access to the chroot target directory to execute arbitrary code via malicious NSS module injection. The vulnerability triggers when --userspec option causes getpwnam() to load attacker-controlled shared libraries from the new root before dropping privileges, enabling container escape or full system compromise on glibc-based systems. CVSS 7.8 with Scope Changed indicates host compromise from containerized environments. SSVC framework confirms POC availability and total technical impact, though exploitation requires specific configuration (writable NEWROOT) and is not automatable.

Technical ContextAI

The vulnerability affects the chroot implementation in uutils coreutils, a Rust-based reimplementation of GNU coreutils utilities. When the --userspec option is used to change user context, the chroot utility calls getpwnam() to resolve user specifications after chrooting but before dropping root privileges. On glibc-based systems, this triggers the Name Service Switch (NSS) framework to dynamically load shared libraries (libnss_*.so.2 modules) from the new root directory to perform user lookups. The timing vulnerability (CWE-426: Untrusted Search Path) creates a window where NSS modules are loaded with root privileges from attacker-controlled directories. This differs from proper implementations that drop privileges before any untrusted code execution or perform user resolution before entering the chroot jail. The Scope Changed (S:C) in the CVSS vector indicates the vulnerability breaks security boundaries, allowing escape from containerized environments where uutils coreutils might be used instead of GNU coreutils.

RemediationAI

Primary remediation requires upgrading uutils coreutils to a patched version once available-monitor the GitHub issue at https://github.com/uutils/coreutils/issues/10327 and official uutils releases for fix announcements. Until a patch is released, implement the following specific compensating controls: First, ensure all NEWROOT directories used with chroot are owned by root with permissions 0755 or more restrictive, preventing unprivileged write access (verify with 'find /path/to/chroots -type d -perm -002' to identify world-writable directories). Second, avoid using the --userspec option entirely if possible-perform user context changes outside the chroot or use alternative containerization technologies like namespaces with proper user mapping. Third, in containerized environments, replace uutils coreutils with standard GNU coreutils in base images, accepting the trade-off of using C-based rather than memory-safe implementations. Fourth, implement mandatory access control (SELinux/AppArmor) policies that prevent loading shared libraries from user-writable paths even when executed as root, though this adds operational complexity for legitimate NSS module loading. Fifth, audit systems for uutils coreutils usage with 'chroot --version' and inventory where it appears in container images, build pipelines, or system installations.

CVE-2014-9471 HIGH POC
7.5 Jan 16

The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex

CVE-2026-35338 HIGH POC
7.3 Apr 22

Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l

CVE-2026-35341 HIGH POC
7.1 Apr 22

Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f

CVE-2026-35352 HIGH
7.0 Apr 22

Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe

CVE-2026-35349 MEDIUM
6.7 Apr 22

Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi

CVE-2026-35365 MEDIUM
6.6 Apr 22

The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file

CVE-2026-35350 MEDIUM
6.6 Apr 22

The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil

CVE-2026-35374 MEDIUM
6.3 Apr 22

The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local

CVE-2026-35364 MEDIUM
6.3 Apr 22

A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op

CVE-2026-35360 MEDIUM
6.3 Apr 22

The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo

CVE-2026-35356 MEDIUM
6.3 Apr 22

Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker

CVE-2026-35355 MEDIUM
6.3 Apr 22

Time-of-Check to Time-of-Use (TOCTOU) race condition in uutils coreutils install utility allows local authenticated atta

Share

CVE-2026-35368 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy