Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
The dd utility in uutils coreutils suppresses errors during file truncation operations by unconditionally calling Result::ok() on truncation attempts. While intended to mimic GNU behavior for special files like /dev/null, the uutils implementation also hides failures on regular files and directories caused by full disks or read-only file systems. This can lead to silent data corruption in backup or migration scripts, as the utility may report a successful operation even when the destination file contains old or garbage data.
AnalysisAI
Silent data corruption in uutils coreutils dd utility results from unconditionally suppressing truncation errors on regular files and directories, allowing backup and migration scripts to report successful operations while destination files contain old or corrupted data when disk space is exhausted or file systems are read-only.
Technical ContextAI
The dd utility is a low-level data copying and conversion tool commonly used in backup, imaging, and migration workflows. uutils coreutils is a Rust-based reimplementation of GNU coreutils designed for compatibility. The vulnerability stems from CWE-252 (Unchecked Return Value), specifically where the truncation operation calls Result::ok() unconditionally. This pattern was intended to match GNU coreutils behavior for special files like /dev/null that legitimately cannot be truncated, but the implementation incorrectly applies the same error suppression to regular files and directories. When truncation fails due to I/O errors (full disk, read-only file system), the error is discarded and the operation reports success, creating a logic gap where the integrity check is bypassed entirely.
RemediationAI
Update uutils coreutils to a patched version that properly handles truncation errors instead of suppressing them via unconditional ok() calls. The fix should propagate truncation failure signals to callers rather than silently discarding them. Consult the upstream repository and vendor advisories for the specific patched version number. As an interim compensating control for critical backup workflows, avoid using uutils coreutils dd in production backup or migration pipelines until patched; revert to GNU coreutils or verify each backup's integrity through independent checksums (sha256sum of source and destination must match). Where migration to GNU coreutils is not feasible, add a post-operation verification step that compares source and destination file sizes and hashes before considering the operation successful. This mitigation trades performance (additional I/O) for detection of silent data loss. Alternatively, configure file systems as read-write with adequate free space to reduce the likelihood of truncation errors, but note this does not eliminate the root cause.
The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex
Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access
Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l
Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f
Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe
Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi
The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file
The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil
The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local
A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op
The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo
Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker
Same weakness CWE-252 – Unchecked Return Value
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24975