CVE-2026-35367

Description

The nohup utility in uutils coreutils creates its default output file, nohup.out, without specifying explicit restricted permissions. This causes the file to inherit umask-based permissions, typically resulting in a world-readable file (0644). In multi-user environments, this allows any user on the system to read the captured stdout/stderr output of a command, potentially exposing sensitive information. This behavior diverges from GNU coreutils, which creates nohup.out with owner-only (0600) permissions.

CVSS Details

CVSS Score

3.3

Severity

LOW

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:uutils:coreutils:-:*:*:*:*:rust:*:* - VULNERABLE

uutils coreutils (修复前版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/bin/bash

# Simulation of the vulnerability in uutils coreutils nohup
# This PoC demonstrates that the file permissions are world-readable (0644)

# Step 1: Create a file using the vulnerable behavior (simulated)
# In a real scenario, the user runs: nohup sensitive_script.sh
# Here we simulate the file creation with umask 022

umask 022
echo "SENSITIVE_OUTPUT=SECRET_TOKEN_12345" > nohup.out

# Step 2: Check the file permissions
# Vulnerable behavior: -rw-r--r-- (0644)
# Secure behavior (GNU): -rw------- (0600)

echo "Checking permissions of nohup.out:"
ls -l nohup.out

echo ""
echo "Content of nohup.out (readable by any user):"
cat nohup.out

# Cleanup
rm -f nohup.out

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-35367
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-35367
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-35367/
[4] VulDB https://vuldb.com/cve/CVE-2026-35367
[5] https://github.com/uutils/coreutils/issues/10021
[6] https://github.com/uutils/coreutils/issues/10021

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-35367", "sourceIdentifier": "[email protected]", "published": "2026-04-22T17:16:40.423", "lastModified": "2026-04-24T19:19:05.067", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The nohup utility in uutils coreutils creates its default output file, nohup.out, without specifying explicit restricted permissions. This causes the file to inherit umask-based permissions, typically resulting in a world-readable file (0644). In multi-user environments, this allows any user on the system to read the captured stdout/stderr output of a command, potentially exposing sensitive information. This behavior diverges from GNU coreutils, which creates nohup.out with owner-only (0600) permissions."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 3.3, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-732"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:uutils:coreutils:-:*:*:*:*:rust:*:*", "matchCriteriaId": "4A9AF9E4-E17C-48AD-8051-B49998618839"}]}]}], "references": [{"url": "https://github.com/uutils/coreutils/issues/10021", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"]}, {"url": "https://github.com/uutils/coreutils/issues/10021", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"]}]}}