Severity by source
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability in the tail utility of uutils coreutils allows for the exfiltration of sensitive file contents when using the --follow=name option. Unlike GNU tail, the uutils implementation continues to monitor a path after it has been replaced by a symbolic link, subsequently outputting the contents of the link's target. In environments where a privileged user (e.g., root) monitors a log directory, a local attacker with write access to that directory can replace a log file with a symlink to a sensitive system file (such as /etc/shadow), causing tail to disclose the contents of the sensitive file.
AnalysisAI
The tail utility in uutils coreutils discloses sensitive file contents through improper symlink handling when using the --follow=name option. Unlike GNU tail, uutils continues monitoring a file path after it has been replaced with a symbolic link, causing it to output the contents of the link's target. A local attacker with write access to a monitored directory can exploit this to exfiltrate sensitive system files such as /etc/shadow when a privileged user (e.g., root) runs tail in follow mode. Publicly available exploit code exists, and the vulnerability requires local access and specific deployment conditions (privileged tail process monitoring user-writable directories).
Technical ContextAI
The tail utility implements file monitoring via the --follow=name option, which is intended to track changes to a named file path even if the underlying inode is replaced (in contrast to --follow=descriptor, which tracks the open file descriptor). The vulnerability stems from a race condition rooted in CWE-367 (Time-of-check Time-of-use), where uutils fails to verify whether the path refers to a symlink after the initial check but before reading from it. GNU tail mitigates this by refusing to follow symlinks in --follow=name mode, but uutils does not implement this safeguard. The affected product is identified by CPE cpe:2.3:a:uutils:coreutils:*:*:*:*:*:*:*:*, indicating all versions of the uutils coreutils package are potentially vulnerable.
RemediationAI
Patch the uutils coreutils installation to a version that implements symlink detection in --follow=name mode, matching the behavior of GNU tail. Exact patched version numbers are not provided in the available data; check the GitHub repository at https://github.com/uutils/coreutils/issues/10328 and the NVD advisory at https://nvd.nist.gov/vuln/detail/CVE-2026-35345 for the specific release that addresses this issue. As a compensating control in systems where patching is delayed, restrict write access to directories monitored by privileged tail processes - use filesystem permissions to prevent unprivileged users from creating or replacing files in log directories (e.g., chmod 755 /var/log with owned-by-root files). This reduces the attack surface but may impact legitimate log rotation workflows. Alternatively, deploy monitoring processes with the principle of least privilege, running tail as an unprivileged user rather than root if operationally feasible. If uutils coreutils is critical to your environment, consider switching to GNU coreutils (which is not affected) as a temporary mitigation, though this may require code changes if uutils-specific features are in use.
The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex
Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access
Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l
Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f
Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe
Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi
The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file
The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil
The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local
A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op
The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo
Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24977
GHSA-xf75-659h-cgg5