Skip to main content

uutils coreutils CVE-2026-35369

| EUVDEUVD-2026-25017 MEDIUM
Improper Input Validation (CWE-20)
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Apr 23, 2026 - 07:05 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 16:31 euvd
EUVD-2026-25017
Analysis Generated
Apr 22, 2026 - 16:31 vuln.today
Patch released
Apr 22, 2026 - 16:31 nvd
Patch available
CVE Published
Apr 22, 2026 - 16:08 nvd
MEDIUM 5.5

DescriptionCVE.org

An argument parsing error in the kill utility of uutils coreutils incorrectly interprets kill -1 as a request to send the default signal (SIGTERM) to PID -1. Sending a signal to PID -1 causes the kernel to terminate all processes visible to the caller, potentially leading to a system crash or massive process termination. This differs from GNU coreutils, which correctly recognizes -1 as a signal number in this context and would instead report a missing PID argument.

AnalysisAI

Local denial of service in uutils coreutils kill utility before version 0.6.0 allows unprivileged users to crash the system or terminate all visible processes by exploiting incorrect argument parsing that sends SIGTERM to PID -1 instead of reporting a missing PID argument. The vulnerability requires local access and can be triggered without user interaction, distinguishing it from the correct behavior in GNU coreutils where -1 is interpreted as a signal number rather than a process identifier.

Technical ContextAI

The uutils coreutils kill utility is a Rust implementation of the POSIX kill command. The vulnerability stems from improper argument parsing (CWE-20: Improper Input Validation) in how the utility interprets the command-line arguments. When invoked as 'kill -1', the utility incorrectly parses '-1' as a signal specifier (interpreting it as the default SIGTERM signal) rather than as a process identifier, resulting in a call to the kernel that targets PID -1. In Unix/Linux kernel semantics, sending a signal to PID -1 is a special case that broadcasts the signal to all processes visible to the calling user, triggering widespread process termination. GNU coreutils correctly handles this edge case by recognizing '-1' as a signal number in context and reporting a missing PID argument instead.

RemediationAI

Upgrade uutils coreutils to version 0.6.0 or later. Vendor-released patch is available via the official release at https://github.com/uutils/coreutils/releases/tag/0.6.0 and was merged upstream in PR #9700. For systems unable to immediately upgrade, restrict execution of the kill utility to trusted users only via Unix file permissions (e.g., chmod 750 on the coreutils binary directory or chmod u+s,go-rx on the kill executable if it must remain available), or use SELinux/AppArmor policies to prevent untrusted processes from executing kill with arbitrary arguments. Note that permission-based mitigations may break legitimate kill functionality for unprivileged users and should be evaluated in context of each deployment's operational requirements.

CVE-2014-9471 HIGH POC
7.5 Jan 16

The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex

CVE-2026-35368 HIGH
7.8 Apr 22

Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access

CVE-2026-35338 HIGH POC
7.3 Apr 22

Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l

CVE-2026-35341 HIGH POC
7.1 Apr 22

Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f

CVE-2026-35352 HIGH
7.0 Apr 22

Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe

CVE-2026-35349 MEDIUM
6.7 Apr 22

Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi

CVE-2026-35365 MEDIUM
6.6 Apr 22

The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file

CVE-2026-35350 MEDIUM
6.6 Apr 22

The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil

CVE-2026-35374 MEDIUM
6.3 Apr 22

The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local

CVE-2026-35364 MEDIUM
6.3 Apr 22

A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op

CVE-2026-35360 MEDIUM
6.3 Apr 22

The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo

CVE-2026-35356 MEDIUM
6.3 Apr 22

Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker

Share

CVE-2026-35369 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy