CVE-2026-35339

Description

The recursive mode (-R) of the chmod utility in uutils coreutils incorrectly handles exit codes when processing multiple files. The final return value is determined solely by the success or failure of the last file processed. This allows the command to return an exit code of 0 (success) even if errors were encountered on previous files, such as 'Operation not permitted'. Scripts relying on these exit codes may proceed under a false sense of success while sensitive files remain with restrictive or incorrect permissions.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:uutils:coreutils:*:*:*:*:*:rust:*:* - VULNERABLE

uutils coreutils < 0.6.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/bin/bash
# PoC for CVE-2026-35339: uutils coreutils chmod exit code logic error
# This script demonstrates the scenario where chmod returns 0 despite errors.

mkdir -p /tmp/test_chmod_poc/subdir
touch /tmp/test_chmod_poc/protected_file
touch /tmp/test_chmod_poc/subdir/normal_file

# Simulate a failure on the first file (e.g., by removing write permissions or ownership if possible)
# In a real exploit scenario, the attacker would ensure 'protected_file' cannot be modified.
# When running 'uutils chmod -R 777 /tmp/test_chmod_poc', if 'normal_file' is processed last,
# the command returns exit code 0, hiding the failure on 'protected_file'.

echo "Files created. Run 'uutils chmod -R 777 /tmp/test_chmod_poc' and check echo $?"
echo "Vulnerable behavior: Exit code is 0 even if protected_file failed."

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-35339
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-35339
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-35339/
[4] VulDB https://vuldb.com/cve/CVE-2026-35339
[5] https://github.com/uutils/coreutils/pull/9793
[6] https://github.com/uutils/coreutils/releases/tag/0.6.0

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-35339", "sourceIdentifier": "[email protected]", "published": "2026-04-22T17:16:35.767", "lastModified": "2026-05-04T20:14:43.883", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The recursive mode (-R) of the chmod utility in uutils coreutils incorrectly handles exit codes when processing multiple files. The final return value is determined solely by the success or failure of the last file processed. This allows the command to return an exit code of 0 (success) even if errors were encountered on previous files, such as 'Operation not permitted'. Scripts relying on these exit codes may proceed under a false sense of success while sensitive files remain with restrictive or incorrect permissions."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-253"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:uutils:coreutils:*:*:*:*:*:rust:*:*", "versionEndExcluding": "0.6.0", "matchCriteriaId": "87C33018-2E08-45B0-B69C-7FC224F7F883"}]}]}], "references": [{"url": "https://github.com/uutils/coreutils/pull/9793", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/uutils/coreutils/releases/tag/0.6.0", "source": "[email protected]", "tags": ["Release Notes"]}]}}