Skip to main content

uutils coreutils EUVDEUVD-2026-24965

| CVE-2026-35339 MEDIUM
Incorrect Check of Function Return Value (CWE-253)
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

5
Analysis Generated
Apr 23, 2026 - 00:18 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 16:31 euvd
EUVD-2026-24965
Analysis Generated
Apr 22, 2026 - 16:31 vuln.today
Patch released
Apr 22, 2026 - 16:31 nvd
Patch available
CVE Published
Apr 22, 2026 - 16:07 nvd
MEDIUM 5.5

DescriptionCVE.org

The recursive mode (-R) of the chmod utility in uutils coreutils incorrectly handles exit codes when processing multiple files. The final return value is determined solely by the success or failure of the last file processed. This allows the command to return an exit code of 0 (success) even if errors were encountered on previous files, such as 'Operation not permitted'. Scripts relying on these exit codes may proceed under a false sense of success while sensitive files remain with restrictive or incorrect permissions.

AnalysisAI

The chmod utility in uutils coreutils versions prior to 0.6.0 incorrectly reports success (exit code 0) when recursively processing multiple files, even if permission changes fail on earlier files due to access restrictions or other errors. This causes scripts and automation to proceed under a false assumption that all files were modified correctly, potentially leaving sensitive files with unintended or restrictive permissions.

Technical ContextAI

The chmod utility is a core file permission management tool that supports recursive directory traversal via the -R flag. The vulnerability stems from a logic error in exit code aggregation (CWE-253: Incorrect Check of Function Return Value), where the final exit status reflects only the outcome of the last file processed rather than accumulating or reporting the worst-case error encountered. In properly designed utilities, exit codes should reflect aggregate success or the first/most critical error. The affected coreutils library is a cross-platform reimplementation of Unix core utilities in Rust, and the bug affects the command-line chmod interface when invoked with recursive mode.

RemediationAI

Upgrade uutils coreutils to version 0.6.0 or later, which includes the fix to properly aggregate exit codes across all files processed in recursive mode. Organizations using uutils coreutils should verify their package sources and dependency declarations. For immediate mitigation prior to upgrade, scripts relying on chmod exit codes should be modified to add explicit permission verification steps: after invoking chmod -R, run a secondary find or stat command to confirm that all intended files have the correct permissions, treating any discrepancies as a failure condition. This workaround adds performance overhead and complexity but ensures that permission enforcement is not bypassed by the exit code bug. No alternative mode or configuration flag can disable this vulnerability-upgrade is the only reliable fix.

CVE-2014-9471 HIGH POC
7.5 Jan 16

The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex

CVE-2026-35368 HIGH
7.8 Apr 22

Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access

CVE-2026-35338 HIGH POC
7.3 Apr 22

Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l

CVE-2026-35341 HIGH POC
7.1 Apr 22

Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f

CVE-2026-35352 HIGH
7.0 Apr 22

Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe

CVE-2026-35349 MEDIUM
6.7 Apr 22

Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi

CVE-2026-35365 MEDIUM
6.6 Apr 22

The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file

CVE-2026-35350 MEDIUM
6.6 Apr 22

The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil

CVE-2026-35374 MEDIUM
6.3 Apr 22

The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local

CVE-2026-35364 MEDIUM
6.3 Apr 22

A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op

CVE-2026-35360 MEDIUM
6.3 Apr 22

The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo

CVE-2026-35356 MEDIUM
6.3 Apr 22

Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker

Share

EUVD-2026-24965 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy