Skip to main content

uutils coreutils EUVDEUVD-2026-25020

| CVE-2026-35372 MEDIUM
UNIX Symbolic Link (Symlink) Following (CWE-61)
2026-04-22 canonical GHSA-wq63-vh5h-pr5p
5.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.0 MEDIUM
AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

5
Analysis Generated
Apr 23, 2026 - 07:02 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 16:31 euvd
EUVD-2026-25020
Analysis Generated
Apr 22, 2026 - 16:31 vuln.today
Patch released
Apr 22, 2026 - 16:31 nvd
Patch available
CVE Published
Apr 22, 2026 - 16:08 nvd
MEDIUM 5.0

DescriptionCVE.org

A logic error in the ln utility of uutils coreutils allows the utility to dereference a symbolic link target even when the --no-dereference (or -n) flag is explicitly provided. The implementation previously only honored the "no-dereference" intent if the --force (overwrite) mode was also enabled. This flaw causes ln to follow a symbolic link that points to a directory and create new links inside that target directory instead of treating the symbolic link itself as the destination. In environments where a privileged user or system script uses ln -n to update a symlink, a local attacker could manipulate existing symbolic links to redirect file creation into sensitive directories, potentially leading to unauthorized file creation or system misconfiguration.

AnalysisAI

The ln utility in uutils coreutils fails to honor the --no-dereference flag when the --force flag is not simultaneously enabled, allowing local attackers with low privileges to redirect symbolic link operations into unintended directories. An attacker can manipulate existing symlinks to cause a privileged user or system script running ln -n to create files in sensitive directories, leading to unauthorized file creation or system misconfiguration. CVSS score of 5.0 reflects local attack vector and low complexity; SSVC framework indicates non-automatable exploitation with partial technical impact.

Technical ContextAI

The ln utility is a core POSIX command used to create hard links and symbolic links. The --no-dereference (-n) flag is intended to prevent dereferencing of symbolic link targets, ensuring the link itself is the destination. The vulnerability exists in uutils coreutils, a Rust-based reimplementation of GNU coreutils utilities. The flaw is a logic error (CWE-61: Improper Link Resolution Before File Access) in the command-line argument processing where the no-dereference behavior was only applied when the --force (overwrite) flag was concurrently set. This means ln -n alone would still follow symlinks to directories, while ln -nf would correctly treat the symlink as a target. CPE cpe:2.3:a:uutils:coreutils identifies the affected product across all versions prior to 0.8.0.

RemediationAI

Upgrade uutils coreutils to version 0.8.0 or later, which includes the patch merged in PR #11253 (https://github.com/uutils/coreutils/pull/11253). The patched release is available at https://github.com/uutils/coreutils/releases/tag/0.8.0. For systems unable to upgrade immediately, the primary compensating control is to audit shell scripts and cron jobs that invoke ln with the -n flag and verify they are not operating on user-controlled or attacker-influenceable symlinks; consider restricting ln usage to elevated privileges only (e.g., sudo ln) and removing the utility from normal user PATH if not essential. An additional control is to use the more explicit ln -nf (force flag with no-dereference) in scripts to ensure both flags are set, though this changes semantics by overwriting existing targets; test before deployment. The trade-off is that removing ln functionality may break legitimate administrative workflows.

CVE-2014-9471 HIGH POC
7.5 Jan 16

The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex

CVE-2026-35368 HIGH
7.8 Apr 22

Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access

CVE-2026-35338 HIGH POC
7.3 Apr 22

Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l

CVE-2026-35341 HIGH POC
7.1 Apr 22

Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f

CVE-2026-35352 HIGH
7.0 Apr 22

Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe

CVE-2026-35349 MEDIUM
6.7 Apr 22

Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi

CVE-2026-35365 MEDIUM
6.6 Apr 22

The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file

CVE-2026-35350 MEDIUM
6.6 Apr 22

The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil

CVE-2026-35374 MEDIUM
6.3 Apr 22

The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local

CVE-2026-35364 MEDIUM
6.3 Apr 22

A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op

CVE-2026-35360 MEDIUM
6.3 Apr 22

The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo

CVE-2026-35356 MEDIUM
6.3 Apr 22

Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker

Share

EUVD-2026-25020 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy