CVE-2026-35338 Overview
A vulnerability in the chmod utility of uutils coreutils allows users to bypass the --preserve-root safety mechanism. The implementation only validates if the target path is literally / and does not canonicalize the path. An attacker or accidental user can use path variants such as /../ or symbolic links to execute destructive recursive operations (e.g., chmod -R 000) on the entire root filesystem, leading to system-wide permission loss and potential complete system breakdown.
Critical Impact
System-wide permission loss and potential complete system breakdown through recursive chmod operations on the root filesystem via path traversal bypass of the --preserve-root safety mechanism.
Affected Products
- uutils coreutils (versions prior to 0.6.0)
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-35338 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-35338
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Path Traversal). The --preserve-root flag in the chmod utility is designed as a safety mechanism to prevent recursive permission changes from affecting the root filesystem (/). However, the uutils coreutils implementation contains a flaw in how it validates the target path.
The vulnerability exists because the path validation logic performs a simple literal string comparison against / rather than resolving the path to its canonical form. This means that while a direct invocation on / would be blocked, equivalent paths that resolve to the root filesystem are not properly detected.
The local attack vector requires low privileges but does require user interaction to execute the malicious command. If exploited, the impact includes complete compromise of confidentiality, integrity, and availability as filesystem permissions across the entire system can be modified.
Root Cause
The root cause is improper input validation in the path handling logic of the chmod utility. The --preserve-root check only compares the user-supplied path string directly against the literal / character. It fails to:
- Canonicalize paths containing traversal sequences like /../
- Resolve symbolic links that ultimately point to the root filesystem
- Handle path normalization before performing the safety check
This oversight allows paths that semantically refer to / but syntactically differ from the literal string to bypass the protection mechanism entirely.
Attack Vector
An attacker with local access and low privileges can exploit this vulnerability by crafting a path that resolves to the root filesystem while bypassing the literal string check. Examples include:
- Using path traversal: chmod -R 000 /tmp/../
- Using symbolic links: Creating a symlink to / and passing that to chmod
- Using double slashes or dot notation: chmod -R 000 /./
When combined with the -R (recursive) flag, this allows destructive permission modifications across the entire filesystem. The consequences include rendering the system inoperable by removing execute permissions on critical binaries, or creating security vulnerabilities by making sensitive files world-readable.
Detection Methods for CVE-2026-35338
Indicators of Compromise
- Unexpected system-wide permission changes, particularly on critical directories like /bin, /etc, /usr, and /sbin
- System instability or service failures following chmod operations
- Audit logs showing chmod commands with path traversal sequences (/../, /./) or suspicious symlink targets
Detection Strategies
- Monitor for chmod commands with the -R flag that include path traversal patterns in their arguments
- Implement file integrity monitoring (FIM) to detect unauthorized permission changes on critical system files
- Review audit logs for suspicious chmod activity, especially from non-root users targeting paths that resolve to system directories
Monitoring Recommendations
- Enable comprehensive filesystem auditing using auditd to log all chmod operations
- Configure alerts for bulk permission changes affecting system-critical directories
- Monitor for the creation of symbolic links pointing to / or system directories in user-writable locations
How to Mitigate CVE-2026-35338
Immediate Actions Required
- Update uutils coreutils to version 0.6.0 or later, which contains the fix for this vulnerability
- Review recent system logs for any suspicious chmod activity that may indicate exploitation
- Verify file permissions on critical system directories have not been altered
Patch Information
The vulnerability has been addressed in uutils coreutils version 0.6.0. The fix is available via the GitHub Release Version 0.6.0. Technical details about the patch implementation can be found in the GitHub Pull Request.
Workarounds
- Use GNU coreutils instead of uutils coreutils until the patched version can be deployed
- Implement administrative policies restricting use of recursive chmod operations on production systems
- Use access control mechanisms (SELinux, AppArmor) to limit which users can perform chmod operations on system directories
- Create wrapper scripts that canonicalize paths before passing them to chmod
# Example: Verify uutils coreutils version and update
# Check current version
uutils --version
# Update to patched version 0.6.0 or later
# Method depends on installation (cargo, package manager, etc.)
cargo install coreutils --version ">=0.6.0"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
