Skip to main content

uutils coreutils CVE-2026-35370

| EUVDEUVD-2026-25018 MEDIUM
Incorrect Authorization (CWE-863)
4.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.4 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 23, 2026 - 07:04 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 16:31 euvd
EUVD-2026-25018
Analysis Generated
Apr 22, 2026 - 16:31 vuln.today
CVE Published
Apr 22, 2026 - 16:08 nvd
MEDIUM 4.4

DescriptionCVE.org

The id utility in uutils coreutils miscalculates the groups= section of its output. The implementation uses a user's real GID instead of their effective GID to compute the group list, leading to potentially divergent output compared to GNU coreutils. Because many scripts and automated processes rely on the output of id to make security-critical access-control or permission decisions, this discrepancy can lead to unauthorized access or security misconfigurations.

AnalysisAI

The id utility in uutils coreutils miscalculates group membership by using real GID instead of effective GID, causing output divergence from GNU coreutils and potentially enabling unauthorized access when scripts rely on id output for access-control decisions. Affects local users with privileges to execute the id command. Proof-of-concept code exists but no active exploitation in the wild has been confirmed.

Technical ContextAI

The id utility is a standard POSIX command that reports user and group identity information, including effective user ID (EUID), real user ID (UID), effective group ID (EGID), and supplementary group list. The vulnerability stems from CWE-863 (Incorrect Authorization), where uutils coreutils uses the real GID (from the password database) instead of the effective GID (the actual active group context at execution time) when computing the groups= output field. This matters because POSIX systems support privilege elevation scenarios where a process runs with a different effective GID than its real GID-for example, via setgid(2) system calls or file capabilities. GNU coreutils correctly reports the effective GID and derived group list, while uutils coreutils reports the real GID's groups, creating a discrepancy. Many security-critical scripts, container orchestration tools, and access-control systems parse id output to verify group membership before granting permissions.

RemediationAI

Patch the uutils coreutils id utility to calculate group membership using effective GID (egid) instead of real GID (rgid). Check the upstream repository at https://github.com/uutils/coreutils/issues/10006 for the released fix version and apply it. Until patching, defenders should audit scripts and automated processes that parse id output for access-control decisions and consider replacing reliance on id with direct system calls (getegid, getgroups) or executing GNU coreutils id instead. For containerized or containerized workloads, ensure that the official GNU coreutils binary is preferred, or rebuild uutils coreutils from a patched source. Note that this mitigation has minimal performance trade-off but may require revalidation of existing scripts if they have workarounds that compensated for the bug.

CVE-2014-9471 HIGH POC
7.5 Jan 16

The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex

CVE-2026-35368 HIGH
7.8 Apr 22

Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access

CVE-2026-35338 HIGH POC
7.3 Apr 22

Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l

CVE-2026-35341 HIGH POC
7.1 Apr 22

Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f

CVE-2026-35352 HIGH
7.0 Apr 22

Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe

CVE-2026-35349 MEDIUM
6.7 Apr 22

Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi

CVE-2026-35365 MEDIUM
6.6 Apr 22

The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file

CVE-2026-35350 MEDIUM
6.6 Apr 22

The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil

CVE-2026-35374 MEDIUM
6.3 Apr 22

The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local

CVE-2026-35364 MEDIUM
6.3 Apr 22

A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op

CVE-2026-35360 MEDIUM
6.3 Apr 22

The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo

CVE-2026-35356 MEDIUM
6.3 Apr 22

Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker

Share

CVE-2026-35370 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy