Coreutils
Monthly
Logic error in uutils coreutils cut utility causes incorrect behavior when combining the -s (only-delimited), -z (null-terminated), and -d '' (empty delimiter) flags, resulting in unfiltered records being emitted instead of suppressed. This breaks data integrity for automated pipelines relying on cut -s to exclude records without delimiters, affecting local users with limited privileges. The vulnerability has low exploitability (CVSS 3.3, SSVC indicates no exploitation status and non-automatable attack), but poses information disclosure and data corruption risks in security-sensitive data processing workflows.
Logic error in uutils coreutils cut utility causes incorrect interpretation of the literal two-byte string '' (two single quotes) as an empty delimiter, leading to silent data corruption when processing strings with these characters. The vulnerability affects uutils coreutils versions prior to 0.8.0 and impacts automated scripts and data pipelines that rely on precise delimiter handling, as the utility may unintentionally split or join data on NUL bytes rather than intended literal characters.
uutils coreutils tr utility misdefines POSIX character classes [:graph:] and [:print:], incorrectly including ASCII space (0x20) in [:graph:] and excluding it from [:print:] - the opposite of standard behavior. This logic error causes unintended data modification or loss when tr is used in automated scripts or data pipelines that depend on correct character class semantics, such as deletion of graphical characters inadvertently removing all spaces and corrupting structured data. Affects coreutils versions prior to 0.8.0; patch is available from vendor.
Logic error in uutils coreutils expr utility evaluates parenthesized subexpressions during parsing rather than execution, breaking short-circuit evaluation for logical OR and AND operations. This causes arithmetic errors in dead code branches (e.g., division by zero) to trigger fatal errors instead of being safely ignored, breaking shell script control flow and diverging from GNU expr compatibility. Affects uutils coreutils versions prior to 0.8.0; publicly available exploit code exists per SSVC data.
The env utility in uutils coreutils incorrectly rejects valid backslash escape sequences in single-quoted strings when using the -S (split-string) option, terminating with exit status 125 and causing local denial of service for scripts relying on GNU env compatibility. The implementation performs overly strict validation that diverges from GNU behavior, where backslashes outside of \\ and \' are treated literally rather than invalid, breaking automated administrative workflows.
Time-of-Check to Time-of-Use (TOCTOU) race condition in the chcon utility of uutils coreutils allows local attackers with directory write access to redirect recursive security label operations to unintended files or directories via symbolic link or rename races, potentially compromising SELinux security controls. The vulnerability affects versions prior to 0.8.0 and requires low privileges and high attack complexity to exploit, making it a moderate-severity issue with partial technical impact.
The split utility in uutils coreutils corrupts output filenames when processing non-UTF-8 prefix or suffix inputs by converting invalid byte sequences to UTF-8 replacement characters, causing filename mismatches, collisions, and potential data misdirection. Affected versions prior to 0.8.0 on all platforms exhibit this behavior, which deviates from GNU split's byte-preservation semantics. Local authenticated users can trigger the vulnerability through crafted non-UTF-8 input, leading to integrity issues in automated workflows relying on predictable filename generation.
The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local attackers with directory write access to manipulate symbolic links between the initial path validation and file truncation, causing data loss to unintended target files including the input file or other sensitive files. CVSS 6.3 (local, high complexity, low privilege required); SSVC assesses as non-exploitable in automated attacks but partial technical impact due to manual race window exploitation requirements.
The ln utility in uutils coreutils fails to process source paths containing non-UTF-8 filename bytes when using target-directory forms, rejecting valid filenames that GNU ln handles correctly. This logic error affects automated scripts and system tasks on Unix filesystems where non-UTF-8 filenames are common, causing denial of service for those specific operations. SSVC classifies exploitation as possible (POC available) but not automatable, with partial technical impact.
The ln utility in uutils coreutils fails to honor the --no-dereference flag when the --force flag is not simultaneously enabled, allowing local attackers with low privileges to redirect symbolic link operations into unintended directories. An attacker can manipulate existing symlinks to cause a privileged user or system script running ln -n to create files in sensitive directories, leading to unauthorized file creation or system misconfiguration. CVSS score of 5.0 reflects local attack vector and low complexity; SSVC framework indicates non-automatable exploitation with partial technical impact.
The id utility in uutils coreutils displays incorrect effective user information in its pretty-print output when real and effective UIDs differ, using the effective GID instead of effective UID for name lookup. This causes misleading diagnostic output that could lead system administrators or automated scripts to make incorrect access control decisions, though impact is limited to information disclosure with no direct code execution or system compromise.
The id utility in uutils coreutils miscalculates group membership by using real GID instead of effective GID, causing output divergence from GNU coreutils and potentially enabling unauthorized access when scripts rely on id output for access-control decisions. Affects local users with privileges to execute the id command. Proof-of-concept code exists but no active exploitation in the wild has been confirmed.
Local denial of service in uutils coreutils kill utility before version 0.6.0 allows unprivileged users to crash the system or terminate all visible processes by exploiting incorrect argument parsing that sends SIGTERM to PID -1 instead of reporting a missing PID argument. The vulnerability requires local access and can be triggered without user interaction, distinguishing it from the correct behavior in GNU coreutils where -1 is interpreted as a signal number rather than a process identifier.
Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access to the chroot target directory to execute arbitrary code via malicious NSS module injection. The vulnerability triggers when --userspec option causes getpwnam() to load attacker-controlled shared libraries from the new root before dropping privileges, enabling container escape or full system compromise on glibc-based systems. CVSS 7.8 with Scope Changed indicates host compromise from containerized environments. SSVC framework confirms POC availability and total technical impact, though exploitation requires specific configuration (writable NEWROOT) and is not automatable.
The nohup utility in uutils coreutils creates its default output file with world-readable permissions (0644) instead of owner-only (0600), allowing any local user to read captured stdout/stderr and access potentially sensitive information in multi-user systems. This information disclosure vulnerability affects all versions of uutils coreutils and diverges from the secure permission model implemented in GNU coreutils.
The printenv utility in uutils coreutils versions before 0.6.0 silently omits environment variables containing invalid UTF-8 byte sequences, allowing adversarial environment variables such as malicious LD_PRELOAD values to evade inspection by administrators and security auditing tools. This evasion capability enables library injection and other environment-based attacks to bypass detection, affecting systems that rely on printenv for security auditing or environment validation. The vulnerability requires local access with unprivileged user privileges (PR:L) to exploit and carries a CVSS score of 4.4 with confirmed proof-of-concept availability.
The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across filesystem boundaries, allowing local authenticated users to trigger resource exhaustion via disk space consumption, disclose sensitive data through unexpected file duplication, or cause denial of service through infinite symlink loop recursion. Affected versions prior to 0.7.0 are vulnerable; a vendor-released patch is available.
A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move operations allows local attackers with write access to the destination directory to exploit a window between file deletion and recreation, injecting a symbolic link to redirect privileged write operations and overwrite arbitrary files. Exploitation requires moderate attack complexity and local access with limited privileges, but grants the ability to corrupt or modify files beyond the attacker's normal permissions. Publicly available exploit code exists but the vulnerability has not been confirmed in active exploitation.
The rm utility in uutils coreutils fails to properly validate current directory paths with trailing slashes (./ or .///), allowing local users with write access to silently delete all contents of the current directory via rm -rf ./ while the utility reports a misleading 'Invalid input' error. CVSS score 5.6 reflects local attack vector and required user interaction, though the impact is severe data loss with potential recovery complications.
The mknod utility in uutils coreutils creates device nodes before atomically applying SELinux security labels, and fails to properly clean up mislabeled nodes if labeling operations fail. This leaves device nodes with incorrect default SELinux contexts, potentially bypassing mandatory access control restrictions on systems where SELinux is enforcing. Affects coreutils versions prior to 0.6.0; exploitation requires local root or elevated privileges and is not currently publicly exploited, though cleanup failures are guaranteed on labeling failure.
The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows local attackers with user-level privileges to truncate arbitrary files and cause permanent data loss. The vulnerability exists in the window between when touch checks for a missing file and when it attempts file creation with O_TRUNC flag; an attacker can inject a symlink or create a file at the target path during this interval, causing touch to truncate an existing file that the attacker controls. SSVC framework indicates exploitation is possible via proof-of-concept code, though automation is not feasible due to race condition complexity.
Time-of-Check to Time-of-Use (TOCTOU) vulnerability in uutils coreutils cp utility allows local attackers with write access to bypass no-dereference protections and read arbitrary sensitive files. The cp command checks symbolic link status via metadata but opens files without O_NOFOLLOW, permitting race condition exploitation where an attacker swaps a regular file for a symbolic link between check and use, causing a privileged cp process to copy sensitive file contents to attacker-controlled destinations. Publicly available exploit code exists; SSVC framework indicates partial technical impact with non-automatable exploitation.
The cp utility in uutils coreutils versions before 0.7.0 incorrectly handles recursive copy operations (-R flag) by converting character and block device nodes into regular files instead of preserving them via mknod, destroying device semantics and enabling denial of service through disk exhaustion or process hangs when unbounded device nodes are copied.
The cp utility in uutils coreutils exposes sensitive file contents through a race condition where destination files are created with overly permissive umask-derived permissions before being restricted to their final restrictive mode. A local authenticated attacker can open the file during this narrow window to obtain a valid file descriptor that remains readable even after permissions are tightened, bypassing intended access controls. CVSS 4.7 with high confidentiality impact but limited exploitability due to high attack complexity and moderate SSVC rating.
Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attackers with write access to redirect privileged file writes to arbitrary locations. The vulnerability exploits a Time-of-Check to Time-of-Use (TOCTOU) race condition between parent directory creation and target file creation, neither anchored to a directory file descriptor. CISA reports no active exploitation (SSVC: none), but the attack is non-automatable and requires specific concurrent write access conditions.
Time-of-Check to Time-of-Use (TOCTOU) race condition in uutils coreutils install utility allows local authenticated attackers to redirect privileged file writes to arbitrary system locations via symbolic link swapping. By exploiting the window between file unlinking and recreation, an attacker with local access and low privileges can overwrite critical system files when the install command runs with elevated privileges, achieving both integrity compromise and denial of service.
Time-of-check-time-of-use (TOCTOU) vulnerability in uutils coreutils mv utility during cross-device file moves allows local attackers with directory write access to manipulate extended attributes (xattrs) on destination files by swapping files between sequential path-based system calls, potentially causing security labels like SELinux attributes or file capabilities to be applied inconsistently. CVSS 4.7 (local, high complexity) with confirmed vulnerability reported by Canonical; CISA SSVC assessment indicates non-automatable exploitation with partial technical impact.
The mkdir utility in uutils coreutils creates directories with default umask-derived permissions (0755) before applying the requested mode via chmod, creating a race condition window where a directory intended to be private becomes briefly accessible to other local users. This affects uutils coreutils versions prior to 0.6.0 and requires local authenticated access to exploit, limiting real-world impact despite the CVSS score of 3.3.
Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file permissions on arbitrary system files. A TOCTOU race condition between FIFO creation and permission setting enables symlink swapping attacks, redirecting chmod operations to unintended targets. SSVC framework indicates proof-of-concept exists with total technical impact. While CVSS rates this 7.0 (High), exploitation requires high attack complexity (race condition timing), low privileges, and write access to the parent directory where mkfifo is executed - most impactful when the utility runs with elevated privileges in automated scripts or system processes. No active exploitation confirmed (not in CISA KEV); EPSS data not available.
The mv utility in uutils coreutils fails to preserve file ownership when moving files across filesystem boundaries, causing moved files to be reassigned to the caller's UID/GID instead of retaining the source file's ownership metadata. When invoked by privileged users (such as root), this results in unexpected ownership changes that can lead to information disclosure or access restrictions for legitimate file owners. Exploitation requires local access and high privileges; a public proof-of-concept exists but active exploitation has not been confirmed in the wild.
The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during file copying with the -p flag, potentially creating unprivileged user-owned files that retain elevated privilege bits and violate security policies. This behavior diverges from GNU cp, which strips these bits when ownership preservation fails. Local users with write access to directories can exploit this to create unexpected privileged executables.
Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root filesystem by supplying a symbolic link that resolves to the root directory, rather than relying on authentic root inode comparison. The vulnerability affects coreutils versions before 0.7.0 and requires local access with no special privileges, though successful exploitation is hindered by high complexity (AC:H). CISA exploitation status is none at time of analysis, and a vendor patch has been released.
The sort utility in uutils coreutils crashes with a process panic when the --files0-from option processes inputs containing non-UTF-8 filenames, allowing local authenticated attackers to cause denial of service. Unlike GNU sort, which handles filenames as raw bytes, uutils enforces UTF-8 encoding via expect() calls that immediately panic on invalid sequences. A proof-of-concept exploit exists; SSVC analysis indicates partial technical impact with non-automatable exploitation.
The comm utility in uutils coreutils drains FIFO and pipe streams before performing file comparison due to premature data consumption in the are_files_identical function, causing silent data loss and potential indefinite hangs on infinite streams. Local authenticated users can trigger this vulnerability to corrupt or lose data in piped workflows, affecting the integrity of command-line data processing chains.
The comm utility in uutils coreutils silently corrupts binary and non-UTF-8 encoded file output by replacing invalid UTF-8 byte sequences with the Unicode replacement character (U+FFFD), diverging from GNU comm's byte-preserving behavior. This affects any user comparing files with legacy encodings or binary content, resulting in data integrity loss. A proof-of-concept demonstrating the lossy conversion exists, and a patch is available.
The tail utility in uutils coreutils discloses sensitive file contents through improper symlink handling when using the --follow=name option. Unlike GNU tail, uutils continues monitoring a file path after it has been replaced with a symbolic link, causing it to output the contents of the link's target. A local attacker with write access to a monitored directory can exploit this to exfiltrate sensitive system files such as /etc/shadow when a privileged user (e.g., root) runs tail in follow mode. Publicly available exploit code exists, and the vulnerability requires local access and specific deployment conditions (privileged tail process monitoring user-writable directories).
Silent data corruption in uutils coreutils dd utility results from unconditionally suppressing truncation errors on regular files and directories, allowing backup and migration scripts to report successful operations while destination files contain old or corrupted data when disk space is exhausted or file systems are read-only.
The cut utility in uutils coreutils fails to suppress non-delimited lines when the -s (only-delimited) option is used with a newline character as the delimiter, causing unfiltered data to be passed to downstream processes. Affected versions prior to 0.8.0 exhibit this logic error, which has low real-world impact due to local-only attack vector and partial technical scope, though it violates strict data filtering contracts that scripts may depend upon.
mktemp utility in uutils coreutils mishandles empty TMPDIR environment variables by creating temporary files in the current working directory instead of falling back to /tmp, potentially exposing sensitive data if the CWD has overly permissive access controls. Affects uutils coreutils versions prior to 0.6.0 and requires local attacker with limited privileges to manipulate the environment or exploit overly accessible working directories; CVSS 3.3 reflects low severity (local access, limited confidentiality impact) despite information disclosure risk.
Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary files to world-readable mode. When mkfifo attempts to create a FIFO at a path where a file already exists, it erroneously continues execution and calls set_permissions on the existing file, changing its mode to default (typically 644 after umask). This can expose sensitive files like SSH private keys (~/.ssh/id_rsa) or application secrets to unauthorized local users. CISA SSVC confirms proof-of-concept code exists with total technical impact, though EPSS data is not available and the vulnerability is not yet in CISA KEV, indicating exploitation remains theoretical rather than widespread.
uutils coreutils chown and chgrp utilities return incorrect exit codes during recursive directory operations, masking ownership change failures and allowing administrative scripts to incorrectly assume successful permission transfers. When processing multiple files recursively, the final exit code reflects only the last file's result; if that file succeeds, the command returns 0 even if earlier operations failed due to permission errors. This integrity flaw affects local users with limited privileges on systems running affected versions below 0.6.0, creating risk of security misconfigurations in automated deployment and configuration management scripts.
The chmod utility in uutils coreutils versions prior to 0.6.0 incorrectly reports success (exit code 0) when recursively processing multiple files, even if permission changes fail on earlier files due to access restrictions or other errors. This causes scripts and automation to proceed under a false assumption that all files were modified correctly, potentially leaving sensitive files with unintended or restrictive permissions.
Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing local authenticated users to execute destructive permission changes across the entire root filesystem. The vulnerability stems from incomplete path canonicalization that permits path traversal variants (/../) and symbolic links to circumvent safety checks, potentially causing system-wide denial of service. EPSS score of 0.01% indicates minimal exploitation probability in the wild, with no public exploit code identified and vendor patch available in version 0.6.0.
fts.c in coreutils 8.4 allows local users to delete arbitrary files. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required. No vendor patch available.
chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer. Rated medium severity (CVSS 4.6), this vulnerability is low attack complexity. No vendor patch available.
The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted date string, as demonstrated by the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Logic error in uutils coreutils cut utility causes incorrect behavior when combining the -s (only-delimited), -z (null-terminated), and -d '' (empty delimiter) flags, resulting in unfiltered records being emitted instead of suppressed. This breaks data integrity for automated pipelines relying on cut -s to exclude records without delimiters, affecting local users with limited privileges. The vulnerability has low exploitability (CVSS 3.3, SSVC indicates no exploitation status and non-automatable attack), but poses information disclosure and data corruption risks in security-sensitive data processing workflows.
Logic error in uutils coreutils cut utility causes incorrect interpretation of the literal two-byte string '' (two single quotes) as an empty delimiter, leading to silent data corruption when processing strings with these characters. The vulnerability affects uutils coreutils versions prior to 0.8.0 and impacts automated scripts and data pipelines that rely on precise delimiter handling, as the utility may unintentionally split or join data on NUL bytes rather than intended literal characters.
uutils coreutils tr utility misdefines POSIX character classes [:graph:] and [:print:], incorrectly including ASCII space (0x20) in [:graph:] and excluding it from [:print:] - the opposite of standard behavior. This logic error causes unintended data modification or loss when tr is used in automated scripts or data pipelines that depend on correct character class semantics, such as deletion of graphical characters inadvertently removing all spaces and corrupting structured data. Affects coreutils versions prior to 0.8.0; patch is available from vendor.
Logic error in uutils coreutils expr utility evaluates parenthesized subexpressions during parsing rather than execution, breaking short-circuit evaluation for logical OR and AND operations. This causes arithmetic errors in dead code branches (e.g., division by zero) to trigger fatal errors instead of being safely ignored, breaking shell script control flow and diverging from GNU expr compatibility. Affects uutils coreutils versions prior to 0.8.0; publicly available exploit code exists per SSVC data.
The env utility in uutils coreutils incorrectly rejects valid backslash escape sequences in single-quoted strings when using the -S (split-string) option, terminating with exit status 125 and causing local denial of service for scripts relying on GNU env compatibility. The implementation performs overly strict validation that diverges from GNU behavior, where backslashes outside of \\ and \' are treated literally rather than invalid, breaking automated administrative workflows.
Time-of-Check to Time-of-Use (TOCTOU) race condition in the chcon utility of uutils coreutils allows local attackers with directory write access to redirect recursive security label operations to unintended files or directories via symbolic link or rename races, potentially compromising SELinux security controls. The vulnerability affects versions prior to 0.8.0 and requires low privileges and high attack complexity to exploit, making it a moderate-severity issue with partial technical impact.
The split utility in uutils coreutils corrupts output filenames when processing non-UTF-8 prefix or suffix inputs by converting invalid byte sequences to UTF-8 replacement characters, causing filename mismatches, collisions, and potential data misdirection. Affected versions prior to 0.8.0 on all platforms exhibit this behavior, which deviates from GNU split's byte-preservation semantics. Local authenticated users can trigger the vulnerability through crafted non-UTF-8 input, leading to integrity issues in automated workflows relying on predictable filename generation.
The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local attackers with directory write access to manipulate symbolic links between the initial path validation and file truncation, causing data loss to unintended target files including the input file or other sensitive files. CVSS 6.3 (local, high complexity, low privilege required); SSVC assesses as non-exploitable in automated attacks but partial technical impact due to manual race window exploitation requirements.
The ln utility in uutils coreutils fails to process source paths containing non-UTF-8 filename bytes when using target-directory forms, rejecting valid filenames that GNU ln handles correctly. This logic error affects automated scripts and system tasks on Unix filesystems where non-UTF-8 filenames are common, causing denial of service for those specific operations. SSVC classifies exploitation as possible (POC available) but not automatable, with partial technical impact.
The ln utility in uutils coreutils fails to honor the --no-dereference flag when the --force flag is not simultaneously enabled, allowing local attackers with low privileges to redirect symbolic link operations into unintended directories. An attacker can manipulate existing symlinks to cause a privileged user or system script running ln -n to create files in sensitive directories, leading to unauthorized file creation or system misconfiguration. CVSS score of 5.0 reflects local attack vector and low complexity; SSVC framework indicates non-automatable exploitation with partial technical impact.
The id utility in uutils coreutils displays incorrect effective user information in its pretty-print output when real and effective UIDs differ, using the effective GID instead of effective UID for name lookup. This causes misleading diagnostic output that could lead system administrators or automated scripts to make incorrect access control decisions, though impact is limited to information disclosure with no direct code execution or system compromise.
The id utility in uutils coreutils miscalculates group membership by using real GID instead of effective GID, causing output divergence from GNU coreutils and potentially enabling unauthorized access when scripts rely on id output for access-control decisions. Affects local users with privileges to execute the id command. Proof-of-concept code exists but no active exploitation in the wild has been confirmed.
Local denial of service in uutils coreutils kill utility before version 0.6.0 allows unprivileged users to crash the system or terminate all visible processes by exploiting incorrect argument parsing that sends SIGTERM to PID -1 instead of reporting a missing PID argument. The vulnerability requires local access and can be triggered without user interaction, distinguishing it from the correct behavior in GNU coreutils where -1 is interpreted as a signal number rather than a process identifier.
Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access to the chroot target directory to execute arbitrary code via malicious NSS module injection. The vulnerability triggers when --userspec option causes getpwnam() to load attacker-controlled shared libraries from the new root before dropping privileges, enabling container escape or full system compromise on glibc-based systems. CVSS 7.8 with Scope Changed indicates host compromise from containerized environments. SSVC framework confirms POC availability and total technical impact, though exploitation requires specific configuration (writable NEWROOT) and is not automatable.
The nohup utility in uutils coreutils creates its default output file with world-readable permissions (0644) instead of owner-only (0600), allowing any local user to read captured stdout/stderr and access potentially sensitive information in multi-user systems. This information disclosure vulnerability affects all versions of uutils coreutils and diverges from the secure permission model implemented in GNU coreutils.
The printenv utility in uutils coreutils versions before 0.6.0 silently omits environment variables containing invalid UTF-8 byte sequences, allowing adversarial environment variables such as malicious LD_PRELOAD values to evade inspection by administrators and security auditing tools. This evasion capability enables library injection and other environment-based attacks to bypass detection, affecting systems that rely on printenv for security auditing or environment validation. The vulnerability requires local access with unprivileged user privileges (PR:L) to exploit and carries a CVSS score of 4.4 with confirmed proof-of-concept availability.
The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across filesystem boundaries, allowing local authenticated users to trigger resource exhaustion via disk space consumption, disclose sensitive data through unexpected file duplication, or cause denial of service through infinite symlink loop recursion. Affected versions prior to 0.7.0 are vulnerable; a vendor-released patch is available.
A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move operations allows local attackers with write access to the destination directory to exploit a window between file deletion and recreation, injecting a symbolic link to redirect privileged write operations and overwrite arbitrary files. Exploitation requires moderate attack complexity and local access with limited privileges, but grants the ability to corrupt or modify files beyond the attacker's normal permissions. Publicly available exploit code exists but the vulnerability has not been confirmed in active exploitation.
The rm utility in uutils coreutils fails to properly validate current directory paths with trailing slashes (./ or .///), allowing local users with write access to silently delete all contents of the current directory via rm -rf ./ while the utility reports a misleading 'Invalid input' error. CVSS score 5.6 reflects local attack vector and required user interaction, though the impact is severe data loss with potential recovery complications.
The mknod utility in uutils coreutils creates device nodes before atomically applying SELinux security labels, and fails to properly clean up mislabeled nodes if labeling operations fail. This leaves device nodes with incorrect default SELinux contexts, potentially bypassing mandatory access control restrictions on systems where SELinux is enforcing. Affects coreutils versions prior to 0.6.0; exploitation requires local root or elevated privileges and is not currently publicly exploited, though cleanup failures are guaranteed on labeling failure.
The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows local attackers with user-level privileges to truncate arbitrary files and cause permanent data loss. The vulnerability exists in the window between when touch checks for a missing file and when it attempts file creation with O_TRUNC flag; an attacker can inject a symlink or create a file at the target path during this interval, causing touch to truncate an existing file that the attacker controls. SSVC framework indicates exploitation is possible via proof-of-concept code, though automation is not feasible due to race condition complexity.
Time-of-Check to Time-of-Use (TOCTOU) vulnerability in uutils coreutils cp utility allows local attackers with write access to bypass no-dereference protections and read arbitrary sensitive files. The cp command checks symbolic link status via metadata but opens files without O_NOFOLLOW, permitting race condition exploitation where an attacker swaps a regular file for a symbolic link between check and use, causing a privileged cp process to copy sensitive file contents to attacker-controlled destinations. Publicly available exploit code exists; SSVC framework indicates partial technical impact with non-automatable exploitation.
The cp utility in uutils coreutils versions before 0.7.0 incorrectly handles recursive copy operations (-R flag) by converting character and block device nodes into regular files instead of preserving them via mknod, destroying device semantics and enabling denial of service through disk exhaustion or process hangs when unbounded device nodes are copied.
The cp utility in uutils coreutils exposes sensitive file contents through a race condition where destination files are created with overly permissive umask-derived permissions before being restricted to their final restrictive mode. A local authenticated attacker can open the file during this narrow window to obtain a valid file descriptor that remains readable even after permissions are tightened, bypassing intended access controls. CVSS 4.7 with high confidentiality impact but limited exploitability due to high attack complexity and moderate SSVC rating.
Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attackers with write access to redirect privileged file writes to arbitrary locations. The vulnerability exploits a Time-of-Check to Time-of-Use (TOCTOU) race condition between parent directory creation and target file creation, neither anchored to a directory file descriptor. CISA reports no active exploitation (SSVC: none), but the attack is non-automatable and requires specific concurrent write access conditions.
Time-of-Check to Time-of-Use (TOCTOU) race condition in uutils coreutils install utility allows local authenticated attackers to redirect privileged file writes to arbitrary system locations via symbolic link swapping. By exploiting the window between file unlinking and recreation, an attacker with local access and low privileges can overwrite critical system files when the install command runs with elevated privileges, achieving both integrity compromise and denial of service.
Time-of-check-time-of-use (TOCTOU) vulnerability in uutils coreutils mv utility during cross-device file moves allows local attackers with directory write access to manipulate extended attributes (xattrs) on destination files by swapping files between sequential path-based system calls, potentially causing security labels like SELinux attributes or file capabilities to be applied inconsistently. CVSS 4.7 (local, high complexity) with confirmed vulnerability reported by Canonical; CISA SSVC assessment indicates non-automatable exploitation with partial technical impact.
The mkdir utility in uutils coreutils creates directories with default umask-derived permissions (0755) before applying the requested mode via chmod, creating a race condition window where a directory intended to be private becomes briefly accessible to other local users. This affects uutils coreutils versions prior to 0.6.0 and requires local authenticated access to exploit, limiting real-world impact despite the CVSS score of 3.3.
Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file permissions on arbitrary system files. A TOCTOU race condition between FIFO creation and permission setting enables symlink swapping attacks, redirecting chmod operations to unintended targets. SSVC framework indicates proof-of-concept exists with total technical impact. While CVSS rates this 7.0 (High), exploitation requires high attack complexity (race condition timing), low privileges, and write access to the parent directory where mkfifo is executed - most impactful when the utility runs with elevated privileges in automated scripts or system processes. No active exploitation confirmed (not in CISA KEV); EPSS data not available.
The mv utility in uutils coreutils fails to preserve file ownership when moving files across filesystem boundaries, causing moved files to be reassigned to the caller's UID/GID instead of retaining the source file's ownership metadata. When invoked by privileged users (such as root), this results in unexpected ownership changes that can lead to information disclosure or access restrictions for legitimate file owners. Exploitation requires local access and high privileges; a public proof-of-concept exists but active exploitation has not been confirmed in the wild.
The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during file copying with the -p flag, potentially creating unprivileged user-owned files that retain elevated privilege bits and violate security policies. This behavior diverges from GNU cp, which strips these bits when ownership preservation fails. Local users with write access to directories can exploit this to create unexpected privileged executables.
Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root filesystem by supplying a symbolic link that resolves to the root directory, rather than relying on authentic root inode comparison. The vulnerability affects coreutils versions before 0.7.0 and requires local access with no special privileges, though successful exploitation is hindered by high complexity (AC:H). CISA exploitation status is none at time of analysis, and a vendor patch has been released.
The sort utility in uutils coreutils crashes with a process panic when the --files0-from option processes inputs containing non-UTF-8 filenames, allowing local authenticated attackers to cause denial of service. Unlike GNU sort, which handles filenames as raw bytes, uutils enforces UTF-8 encoding via expect() calls that immediately panic on invalid sequences. A proof-of-concept exploit exists; SSVC analysis indicates partial technical impact with non-automatable exploitation.
The comm utility in uutils coreutils drains FIFO and pipe streams before performing file comparison due to premature data consumption in the are_files_identical function, causing silent data loss and potential indefinite hangs on infinite streams. Local authenticated users can trigger this vulnerability to corrupt or lose data in piped workflows, affecting the integrity of command-line data processing chains.
The comm utility in uutils coreutils silently corrupts binary and non-UTF-8 encoded file output by replacing invalid UTF-8 byte sequences with the Unicode replacement character (U+FFFD), diverging from GNU comm's byte-preserving behavior. This affects any user comparing files with legacy encodings or binary content, resulting in data integrity loss. A proof-of-concept demonstrating the lossy conversion exists, and a patch is available.
The tail utility in uutils coreutils discloses sensitive file contents through improper symlink handling when using the --follow=name option. Unlike GNU tail, uutils continues monitoring a file path after it has been replaced with a symbolic link, causing it to output the contents of the link's target. A local attacker with write access to a monitored directory can exploit this to exfiltrate sensitive system files such as /etc/shadow when a privileged user (e.g., root) runs tail in follow mode. Publicly available exploit code exists, and the vulnerability requires local access and specific deployment conditions (privileged tail process monitoring user-writable directories).
Silent data corruption in uutils coreutils dd utility results from unconditionally suppressing truncation errors on regular files and directories, allowing backup and migration scripts to report successful operations while destination files contain old or corrupted data when disk space is exhausted or file systems are read-only.
The cut utility in uutils coreutils fails to suppress non-delimited lines when the -s (only-delimited) option is used with a newline character as the delimiter, causing unfiltered data to be passed to downstream processes. Affected versions prior to 0.8.0 exhibit this logic error, which has low real-world impact due to local-only attack vector and partial technical scope, though it violates strict data filtering contracts that scripts may depend upon.
mktemp utility in uutils coreutils mishandles empty TMPDIR environment variables by creating temporary files in the current working directory instead of falling back to /tmp, potentially exposing sensitive data if the CWD has overly permissive access controls. Affects uutils coreutils versions prior to 0.6.0 and requires local attacker with limited privileges to manipulate the environment or exploit overly accessible working directories; CVSS 3.3 reflects low severity (local access, limited confidentiality impact) despite information disclosure risk.
Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary files to world-readable mode. When mkfifo attempts to create a FIFO at a path where a file already exists, it erroneously continues execution and calls set_permissions on the existing file, changing its mode to default (typically 644 after umask). This can expose sensitive files like SSH private keys (~/.ssh/id_rsa) or application secrets to unauthorized local users. CISA SSVC confirms proof-of-concept code exists with total technical impact, though EPSS data is not available and the vulnerability is not yet in CISA KEV, indicating exploitation remains theoretical rather than widespread.
uutils coreutils chown and chgrp utilities return incorrect exit codes during recursive directory operations, masking ownership change failures and allowing administrative scripts to incorrectly assume successful permission transfers. When processing multiple files recursively, the final exit code reflects only the last file's result; if that file succeeds, the command returns 0 even if earlier operations failed due to permission errors. This integrity flaw affects local users with limited privileges on systems running affected versions below 0.6.0, creating risk of security misconfigurations in automated deployment and configuration management scripts.
The chmod utility in uutils coreutils versions prior to 0.6.0 incorrectly reports success (exit code 0) when recursively processing multiple files, even if permission changes fail on earlier files due to access restrictions or other errors. This causes scripts and automation to proceed under a false assumption that all files were modified correctly, potentially leaving sensitive files with unintended or restrictive permissions.
Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing local authenticated users to execute destructive permission changes across the entire root filesystem. The vulnerability stems from incomplete path canonicalization that permits path traversal variants (/../) and symbolic links to circumvent safety checks, potentially causing system-wide denial of service. EPSS score of 0.01% indicates minimal exploitation probability in the wild, with no public exploit code identified and vendor patch available in version 0.6.0.
fts.c in coreutils 8.4 allows local users to delete arbitrary files. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required. No vendor patch available.
chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer. Rated medium severity (CVSS 4.6), this vulnerability is low attack complexity. No vendor patch available.
The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted date string, as demonstrated by the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.