CVE-2026-35340

#!/bin/bash # PoC for CVE-2026-35340: Incorrect Exit Code in Recursive Chown # This script demonstrates the logic flaw where the exit code depends only on the last file. # Setup directory structure POC_DIR="/tmp/cve_2026_35340_poc" rm -rf $POC_DIR mkdir -p $POC_DIR # Create two files # 'protected_file' is assumed to be owned by root (or immutable) to cause failure # 'accessible_file' is owned by current user to ensure success touch $POC_DIR/protected_file touch $POC_DIR/accessible_file # Note: To reproduce the actual failure, 'protected_file' must be unwritable by the current user. # You might need to use 'chown root' or 'chmod 000' on protected_file before running the next step. # Example: sudo chown root:root $POC_DIR/protected_file echo "Running vulnerable chown command..." # Run the recursive chown. The vulnerable version returns 0 if accessible_file succeeds, # regardless of protected_file's status. # chown -R $USER:$USER $POC_DIR # Check the exit status of the previous command if [ $? -eq 0 ]; then echo "[+] Vulnerability Detected: Command returned 0 (Success)." echo "[!] However, 'protected_file' ownership might not have changed." else echo "[-] Command returned non-zero. Logic might be correct." fi

{"cve": {"id": "CVE-2026-35340", "sourceIdentifier": "[email protected]", "published": "2026-04-22T17:16:35.923", "lastModified": "2026-05-04T20:12:01.500", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw in the ChownExecutor used by uutils coreutils chown and chgrp causes the utilities to return an incorrect exit code during recursive operations. The final exit code is determined only by the last file processed. If the last operation succeeds, the command returns 0 even if earlier ownership or group changes failed due to permission errors. This can lead to security misconfigurations where administrative scripts incorrectly assume that ownership has been successfully transferred across a directory tree."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-253"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:uutils:coreutils:*:*:*:*:*:rust:*:*", "versionEndExcluding": "0.6.0", "matchCriteriaId": "87C33018-2E08-45B0-B69C-7FC224F7F883"}]}]}], "references": [{"url": "https://github.com/uutils/coreutils/pull/10035", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/uutils/coreutils/releases/tag/0.6.0", "source": "[email protected]", "tags": ["Release Notes"]}]}}