Severity by source
AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
The mv utility in uutils coreutils fails to preserve file ownership during moves across different filesystem boundaries. The utility falls back to a copy-and-delete routine that creates the destination file using the caller's UID/GID rather than the source's metadata. This flaw breaks backups and migrations, causing files moved by a privileged user (e.g., root) to become root-owned unexpectedly, which can lead to information disclosure or restricted access for the intended owners.
AnalysisAI
The mv utility in uutils coreutils fails to preserve file ownership when moving files across filesystem boundaries, causing moved files to be reassigned to the caller's UID/GID instead of retaining the source file's ownership metadata. When invoked by privileged users (such as root), this results in unexpected ownership changes that can lead to information disclosure or access restrictions for legitimate file owners. Exploitation requires local access and high privileges; a public proof-of-concept exists but active exploitation has not been confirmed in the wild.
Technical ContextAI
The uutils coreutils implementation of the POSIX mv utility uses a copy-and-delete fallback routine when moving files across different filesystem boundaries (since hard-linking is not possible across filesystems). During this operation, the newly created destination file inherits the caller's UID/GID via standard file creation mechanisms rather than explicitly preserving the source file's ownership attributes. This occurs because the copy operation does not call chown() to restore the original file's ownership after creation. The vulnerability is classified under CWE-281 (Improper Preservation of Permissions), which covers cases where file permission or ownership metadata is not correctly maintained during operations.
RemediationAI
Upgrade uutils coreutils to a patched version once available; the exact fixed version number is not specified in the provided data, so consult the project's official release notes and GitHub repository for the exact version that addresses CVE-2026-35351. Until a patch is released, implement compensating controls: (1) when moving files across filesystems as root, manually verify ownership post-move using ls -l and correct with chown if needed - trade-off is increased operational overhead; (2) configure backup and migration workflows to run as the source file's owner rather than root where feasible, reducing privilege escalation risk - requires workflow redesign; (3) use explicit chown commands immediately after mv operations in automated scripts to restore original ownership - adds execution time but ensures correctness; (4) prefer GNU coreutils instead of uutils coreutils for critical file operations if ownership preservation is mandatory. Monitor GitHub issue #9714 for patch release announcements.
The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex
Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access
Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l
Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f
Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe
Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi
The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file
The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil
The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local
A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op
The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo
Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker
Same weakness CWE-281 – Improper Preservation of Permissions
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24984