CVE-2026-35338 | THREATINT

Description

A vulnerability in the chmod utility of uutils coreutils allows users to bypass the --preserve-root safety mechanism. The implementation only validates if the target path is literally / and does not canonicalize the path. An attacker or accidental user can use path variants such as /../ or symbolic links to execute destructive recursive operations (e.g., chmod -R 000) on the entire root filesystem, leading to system-wide permission loss and potential complete system breakdown.

PUBLISHED Reserved 2026-04-02 | Published 2026-04-22 | Updated 2026-04-24 | Assigner canonical

HIGH: 7.3CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Problem types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status

unaffected

Any version before 0.6.0

affected

Credits

Zellic finder

References

github.com/uutils/coreutils/pull/10033 patch issue-tracking

github.com/uutils/coreutils/releases/tag/0.6.0 vendor-advisory

cve.org (CVE-2026-35338)

nvd.nist.gov (CVE-2026-35338)

Download JSON