Severity by source
AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
Lifecycle Timeline
5DescriptionCVE.org
A logic error in the ln utility of uutils coreutils allows the utility to dereference a symbolic link target even when the --no-dereference (or -n) flag is explicitly provided. The implementation previously only honored the "no-dereference" intent if the --force (overwrite) mode was also enabled. This flaw causes ln to follow a symbolic link that points to a directory and create new links inside that target directory instead of treating the symbolic link itself as the destination. In environments where a privileged user or system script uses ln -n to update a symlink, a local attacker could manipulate existing symbolic links to redirect file creation into sensitive directories, potentially leading to unauthorized file creation or system misconfiguration.
AnalysisAI
The ln utility in uutils coreutils fails to honor the --no-dereference flag when the --force flag is not simultaneously enabled, allowing local attackers with low privileges to redirect symbolic link operations into unintended directories. An attacker can manipulate existing symlinks to cause a privileged user or system script running ln -n to create files in sensitive directories, leading to unauthorized file creation or system misconfiguration. CVSS score of 5.0 reflects local attack vector and low complexity; SSVC framework indicates non-automatable exploitation with partial technical impact.
Technical ContextAI
The ln utility is a core POSIX command used to create hard links and symbolic links. The --no-dereference (-n) flag is intended to prevent dereferencing of symbolic link targets, ensuring the link itself is the destination. The vulnerability exists in uutils coreutils, a Rust-based reimplementation of GNU coreutils utilities. The flaw is a logic error (CWE-61: Improper Link Resolution Before File Access) in the command-line argument processing where the no-dereference behavior was only applied when the --force (overwrite) flag was concurrently set. This means ln -n alone would still follow symlinks to directories, while ln -nf would correctly treat the symlink as a target. CPE cpe:2.3:a:uutils:coreutils identifies the affected product across all versions prior to 0.8.0.
RemediationAI
Upgrade uutils coreutils to version 0.8.0 or later, which includes the patch merged in PR #11253 (https://github.com/uutils/coreutils/pull/11253). The patched release is available at https://github.com/uutils/coreutils/releases/tag/0.8.0. For systems unable to upgrade immediately, the primary compensating control is to audit shell scripts and cron jobs that invoke ln with the -n flag and verify they are not operating on user-controlled or attacker-influenceable symlinks; consider restricting ln usage to elevated privileges only (e.g., sudo ln) and removing the utility from normal user PATH if not essential. An additional control is to use the more explicit ln -nf (force flag with no-dereference) in scripts to ensure both flags are set, though this changes semantics by overwriting existing targets; test before deployment. The trade-off is that removing ln functionality may break legitimate administrative workflows.
The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex
Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access
Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l
Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f
Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe
Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi
The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file
The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil
The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local
A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op
The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo
Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker
Same weakness CWE-61 – UNIX Symbolic Link (Symlink) Following
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25020
GHSA-wq63-vh5h-pr5p