CVE-2026-35369 | THREATINT

Description

An argument parsing error in the kill utility of uutils coreutils incorrectly interprets kill -1 as a request to send the default signal (SIGTERM) to PID -1. Sending a signal to PID -1 causes the kernel to terminate all processes visible to the caller, potentially leading to a system crash or massive process termination. This differs from GNU coreutils, which correctly recognizes -1 as a signal number in this context and would instead report a missing PID argument.

PUBLISHED Reserved 2026-04-02 | Published 2026-04-22 | Updated 2026-04-22 | Assigner canonical

MEDIUM: 5.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Problem types

CWE-20: Improper Input Validation

Product status

Default status

unaffected

Any version before 0.6.0

affected

Credits

Zellic finder

References

github.com/uutils/coreutils/pull/9700 issue-tracking patch

github.com/uutils/coreutils/releases/tag/0.6.0 vendor-advisory

cve.org (CVE-2026-35369)

nvd.nist.gov (CVE-2026-35369)

Download JSON