Skip to main content

uutils coreutils EUVDEUVD-2026-24984

| CVE-2026-35351 MEDIUM
Improper Preservation of Permissions (CWE-281)
2026-04-22 canonical
4.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.2 MEDIUM
AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Apr 23, 2026 - 07:04 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 16:31 euvd
EUVD-2026-24984
Analysis Generated
Apr 22, 2026 - 16:31 vuln.today
CVE Published
Apr 22, 2026 - 16:08 nvd
MEDIUM 4.2

DescriptionCVE.org

The mv utility in uutils coreutils fails to preserve file ownership during moves across different filesystem boundaries. The utility falls back to a copy-and-delete routine that creates the destination file using the caller's UID/GID rather than the source's metadata. This flaw breaks backups and migrations, causing files moved by a privileged user (e.g., root) to become root-owned unexpectedly, which can lead to information disclosure or restricted access for the intended owners.

AnalysisAI

The mv utility in uutils coreutils fails to preserve file ownership when moving files across filesystem boundaries, causing moved files to be reassigned to the caller's UID/GID instead of retaining the source file's ownership metadata. When invoked by privileged users (such as root), this results in unexpected ownership changes that can lead to information disclosure or access restrictions for legitimate file owners. Exploitation requires local access and high privileges; a public proof-of-concept exists but active exploitation has not been confirmed in the wild.

Technical ContextAI

The uutils coreutils implementation of the POSIX mv utility uses a copy-and-delete fallback routine when moving files across different filesystem boundaries (since hard-linking is not possible across filesystems). During this operation, the newly created destination file inherits the caller's UID/GID via standard file creation mechanisms rather than explicitly preserving the source file's ownership attributes. This occurs because the copy operation does not call chown() to restore the original file's ownership after creation. The vulnerability is classified under CWE-281 (Improper Preservation of Permissions), which covers cases where file permission or ownership metadata is not correctly maintained during operations.

RemediationAI

Upgrade uutils coreutils to a patched version once available; the exact fixed version number is not specified in the provided data, so consult the project's official release notes and GitHub repository for the exact version that addresses CVE-2026-35351. Until a patch is released, implement compensating controls: (1) when moving files across filesystems as root, manually verify ownership post-move using ls -l and correct with chown if needed - trade-off is increased operational overhead; (2) configure backup and migration workflows to run as the source file's owner rather than root where feasible, reducing privilege escalation risk - requires workflow redesign; (3) use explicit chown commands immediately after mv operations in automated scripts to restore original ownership - adds execution time but ensures correctness; (4) prefer GNU coreutils instead of uutils coreutils for critical file operations if ownership preservation is mandatory. Monitor GitHub issue #9714 for patch release announcements.

CVE-2014-9471 HIGH POC
7.5 Jan 16

The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex

CVE-2026-35368 HIGH
7.8 Apr 22

Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access

CVE-2026-35338 HIGH POC
7.3 Apr 22

Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l

CVE-2026-35341 HIGH POC
7.1 Apr 22

Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f

CVE-2026-35352 HIGH
7.0 Apr 22

Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe

CVE-2026-35349 MEDIUM
6.7 Apr 22

Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi

CVE-2026-35365 MEDIUM
6.6 Apr 22

The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file

CVE-2026-35350 MEDIUM
6.6 Apr 22

The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil

CVE-2026-35374 MEDIUM
6.3 Apr 22

The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local

CVE-2026-35364 MEDIUM
6.3 Apr 22

A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op

CVE-2026-35360 MEDIUM
6.3 Apr 22

The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo

CVE-2026-35356 MEDIUM
6.3 Apr 22

Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker

Share

EUVD-2026-24984 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy