Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
The id utility in uutils coreutils miscalculates the groups= section of its output. The implementation uses a user's real GID instead of their effective GID to compute the group list, leading to potentially divergent output compared to GNU coreutils. Because many scripts and automated processes rely on the output of id to make security-critical access-control or permission decisions, this discrepancy can lead to unauthorized access or security misconfigurations.
AnalysisAI
The id utility in uutils coreutils miscalculates group membership by using real GID instead of effective GID, causing output divergence from GNU coreutils and potentially enabling unauthorized access when scripts rely on id output for access-control decisions. Affects local users with privileges to execute the id command. Proof-of-concept code exists but no active exploitation in the wild has been confirmed.
Technical ContextAI
The id utility is a standard POSIX command that reports user and group identity information, including effective user ID (EUID), real user ID (UID), effective group ID (EGID), and supplementary group list. The vulnerability stems from CWE-863 (Incorrect Authorization), where uutils coreutils uses the real GID (from the password database) instead of the effective GID (the actual active group context at execution time) when computing the groups= output field. This matters because POSIX systems support privilege elevation scenarios where a process runs with a different effective GID than its real GID-for example, via setgid(2) system calls or file capabilities. GNU coreutils correctly reports the effective GID and derived group list, while uutils coreutils reports the real GID's groups, creating a discrepancy. Many security-critical scripts, container orchestration tools, and access-control systems parse id output to verify group membership before granting permissions.
RemediationAI
Patch the uutils coreutils id utility to calculate group membership using effective GID (egid) instead of real GID (rgid). Check the upstream repository at https://github.com/uutils/coreutils/issues/10006 for the released fix version and apply it. Until patching, defenders should audit scripts and automated processes that parse id output for access-control decisions and consider replacing reliance on id with direct system calls (getegid, getgroups) or executing GNU coreutils id instead. For containerized or containerized workloads, ensure that the official GNU coreutils binary is preferred, or rebuild uutils coreutils from a patched source. Note that this mitigation has minimal performance trade-off but may require revalidation of existing scripts if they have workarounds that compensated for the bug.
The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex
Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access
Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l
Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f
Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe
Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi
The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file
The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil
The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local
A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op
The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo
Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25018
GHSA-47c7-qrm7-mqw7