Skip to main content

uutils coreutils EUVDEUVD-2026-24975

| CVE-2026-35344 LOW
Unchecked Return Value (CWE-252)
2026-04-22 canonical
3.3
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.3 LOW
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 23, 2026 - 00:18 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 16:31 euvd
EUVD-2026-24975
Analysis Generated
Apr 22, 2026 - 16:31 vuln.today
CVE Published
Apr 22, 2026 - 16:07 nvd
LOW 3.3

DescriptionCVE.org

The dd utility in uutils coreutils suppresses errors during file truncation operations by unconditionally calling Result::ok() on truncation attempts. While intended to mimic GNU behavior for special files like /dev/null, the uutils implementation also hides failures on regular files and directories caused by full disks or read-only file systems. This can lead to silent data corruption in backup or migration scripts, as the utility may report a successful operation even when the destination file contains old or garbage data.

AnalysisAI

Silent data corruption in uutils coreutils dd utility results from unconditionally suppressing truncation errors on regular files and directories, allowing backup and migration scripts to report successful operations while destination files contain old or corrupted data when disk space is exhausted or file systems are read-only.

Technical ContextAI

The dd utility is a low-level data copying and conversion tool commonly used in backup, imaging, and migration workflows. uutils coreutils is a Rust-based reimplementation of GNU coreutils designed for compatibility. The vulnerability stems from CWE-252 (Unchecked Return Value), specifically where the truncation operation calls Result::ok() unconditionally. This pattern was intended to match GNU coreutils behavior for special files like /dev/null that legitimately cannot be truncated, but the implementation incorrectly applies the same error suppression to regular files and directories. When truncation fails due to I/O errors (full disk, read-only file system), the error is discarded and the operation reports success, creating a logic gap where the integrity check is bypassed entirely.

RemediationAI

Update uutils coreutils to a patched version that properly handles truncation errors instead of suppressing them via unconditional ok() calls. The fix should propagate truncation failure signals to callers rather than silently discarding them. Consult the upstream repository and vendor advisories for the specific patched version number. As an interim compensating control for critical backup workflows, avoid using uutils coreutils dd in production backup or migration pipelines until patched; revert to GNU coreutils or verify each backup's integrity through independent checksums (sha256sum of source and destination must match). Where migration to GNU coreutils is not feasible, add a post-operation verification step that compares source and destination file sizes and hashes before considering the operation successful. This mitigation trades performance (additional I/O) for detection of silent data loss. Alternatively, configure file systems as read-write with adequate free space to reduce the likelihood of truncation errors, but note this does not eliminate the root cause.

CVE-2014-9471 HIGH POC
7.5 Jan 16

The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex

CVE-2026-35368 HIGH
7.8 Apr 22

Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access

CVE-2026-35338 HIGH POC
7.3 Apr 22

Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l

CVE-2026-35341 HIGH POC
7.1 Apr 22

Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f

CVE-2026-35352 HIGH
7.0 Apr 22

Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe

CVE-2026-35349 MEDIUM
6.7 Apr 22

Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi

CVE-2026-35365 MEDIUM
6.6 Apr 22

The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file

CVE-2026-35350 MEDIUM
6.6 Apr 22

The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil

CVE-2026-35374 MEDIUM
6.3 Apr 22

The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local

CVE-2026-35364 MEDIUM
6.3 Apr 22

A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op

CVE-2026-35360 MEDIUM
6.3 Apr 22

The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo

CVE-2026-35356 MEDIUM
6.3 Apr 22

Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker

Share

EUVD-2026-24975 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy