CVE-2026-35371

#!/usr/bin/env python3 """ PoC for CVE-2026-35371: Logic Error in uutils coreutils id utility This script demonstrates the logic flaw where the tool uses the Effective GID instead of the Effective UID for the user name lookup. """ import os import pwd import grp def get_user_name(uid): """Correctly get username by UID.""" try: return pwd.getpwuid(uid).pw_name except KeyError: return str(uid) def get_group_name(gid): """Get group name by GID.""" try: return grp.getgrgid(gid).gr_name except KeyError: return str(gid) def simulate_vulnerable_id(real_uid, effective_uid, effective_gid): print(f"--- Simulating Vulnerable Behavior (CVE-2026-35371) ---") print(f"Real UID: {real_uid} ({get_user_name(real_uid)})") # Vulnerable Logic: Uses effective GID to lookup user name for the effective UID vulnerable_lookup_name = get_group_name(effective_gid) # Mistake: using GID to get user context print(f"Effective UID: {effective_uid} ({vulnerable_lookup_name}) [INCORRECT - Used GID lookup]") print(f"Effective GID: {effective_gid} ({get_group_name(effective_gid)})") def simulate_correct_id(real_uid, effective_uid, effective_gid): print(f"\n--- Simulating Correct Behavior ---") print(f"Real UID: {real_uid} ({get_user_name(real_uid)})") print(f"Effective UID: {effective_uid} ({get_user_name(effective_uid)})") print(f"Effective GID: {effective_gid} ({get_group_name(effective_gid)})") if __name__ == "__main__": # Scenario: User (uid 1000) runs a setuid root program (uid 0), but group stays as user (gid 1000) # Note: This requires root to actually change EUID, but we simulate the lookup logic here. r_uid = 1000 e_uid = 0 e_gid = 1000 print("Scenario: Real UID=1000, Effective UID=0 (root), Effective GID=1000 (user)") simulate_vulnerable_id(r_uid, e_uid, e_gid) simulate_correct_id(r_uid, e_uid, e_gid)

{"cve": {"id": "CVE-2026-35371", "sourceIdentifier": "[email protected]", "published": "2026-04-22T17:16:40.987", "lastModified": "2026-05-04T20:02:06.183", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The id utility in uutils coreutils exhibits incorrect behavior in its \"pretty print\" output when the real UID and effective UID differ. The implementation incorrectly uses the effective GID instead of the effective UID when performing a name lookup for the effective user. This results in misleading diagnostic output that can cause automated scripts or system administrators to make incorrect decisions regarding file permissions or access control."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 3.3, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-451"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:uutils:coreutils:-:*:*:*:*:rust:*:*", "matchCriteriaId": "4A9AF9E4-E17C-48AD-8051-B49998618839"}]}]}], "references": [{"url": "https://github.com/uutils/coreutils/issues/10006", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}, {"url": "https://github.com/uutils/coreutils/issues/10006", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking"]}]}}