Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-35338

CVE-2026-35338: uutils coreutils Path Traversal Flaw

CVE-2026-35338 is a path traversal vulnerability in uutils coreutils chmod that allows bypassing --preserve-root safety checks, enabling destructive operations on the root filesystem. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-35338 Overview

A vulnerability in the chmod utility of uutils coreutils allows users to bypass the --preserve-root safety mechanism. The implementation only validates if the target path is literally / and does not canonicalize the path. An attacker or accidental user can use path variants such as /../ or symbolic links to execute destructive recursive operations (e.g., chmod -R 000) on the entire root filesystem, leading to system-wide permission loss and potential complete system breakdown.

Critical Impact

System-wide permission loss and potential complete system breakdown through recursive chmod operations on the root filesystem via path traversal bypass of the --preserve-root safety mechanism.

Affected Products

  • uutils coreutils (versions prior to 0.6.0)

Discovery Timeline

  • 2026-04-22 - CVE CVE-2026-35338 published to NVD
  • 2026-04-22 - Last updated in NVD database

Technical Details for CVE-2026-35338

Vulnerability Analysis

This vulnerability is classified as CWE-22 (Path Traversal). The --preserve-root flag in the chmod utility is designed as a safety mechanism to prevent recursive permission changes from affecting the root filesystem (/). However, the uutils coreutils implementation contains a flaw in how it validates the target path.

The vulnerability exists because the path validation logic performs a simple literal string comparison against / rather than resolving the path to its canonical form. This means that while a direct invocation on / would be blocked, equivalent paths that resolve to the root filesystem are not properly detected.

The local attack vector requires low privileges but does require user interaction to execute the malicious command. If exploited, the impact includes complete compromise of confidentiality, integrity, and availability as filesystem permissions across the entire system can be modified.

Root Cause

The root cause is improper input validation in the path handling logic of the chmod utility. The --preserve-root check only compares the user-supplied path string directly against the literal / character. It fails to:

  1. Canonicalize paths containing traversal sequences like /../
  2. Resolve symbolic links that ultimately point to the root filesystem
  3. Handle path normalization before performing the safety check

This oversight allows paths that semantically refer to / but syntactically differ from the literal string to bypass the protection mechanism entirely.

Attack Vector

An attacker with local access and low privileges can exploit this vulnerability by crafting a path that resolves to the root filesystem while bypassing the literal string check. Examples include:

  • Using path traversal: chmod -R 000 /tmp/../
  • Using symbolic links: Creating a symlink to / and passing that to chmod
  • Using double slashes or dot notation: chmod -R 000 /./

When combined with the -R (recursive) flag, this allows destructive permission modifications across the entire filesystem. The consequences include rendering the system inoperable by removing execute permissions on critical binaries, or creating security vulnerabilities by making sensitive files world-readable.

Detection Methods for CVE-2026-35338

Indicators of Compromise

  • Unexpected system-wide permission changes, particularly on critical directories like /bin, /etc, /usr, and /sbin
  • System instability or service failures following chmod operations
  • Audit logs showing chmod commands with path traversal sequences (/../, /./) or suspicious symlink targets

Detection Strategies

  • Monitor for chmod commands with the -R flag that include path traversal patterns in their arguments
  • Implement file integrity monitoring (FIM) to detect unauthorized permission changes on critical system files
  • Review audit logs for suspicious chmod activity, especially from non-root users targeting paths that resolve to system directories

Monitoring Recommendations

  • Enable comprehensive filesystem auditing using auditd to log all chmod operations
  • Configure alerts for bulk permission changes affecting system-critical directories
  • Monitor for the creation of symbolic links pointing to / or system directories in user-writable locations

How to Mitigate CVE-2026-35338

Immediate Actions Required

  • Update uutils coreutils to version 0.6.0 or later, which contains the fix for this vulnerability
  • Review recent system logs for any suspicious chmod activity that may indicate exploitation
  • Verify file permissions on critical system directories have not been altered

Patch Information

The vulnerability has been addressed in uutils coreutils version 0.6.0. The fix is available via the GitHub Release Version 0.6.0. Technical details about the patch implementation can be found in the GitHub Pull Request.

Workarounds

  • Use GNU coreutils instead of uutils coreutils until the patched version can be deployed
  • Implement administrative policies restricting use of recursive chmod operations on production systems
  • Use access control mechanisms (SELinux, AppArmor) to limit which users can perform chmod operations on system directories
  • Create wrapper scripts that canonicalize paths before passing them to chmod
bash
# Example: Verify uutils coreutils version and update
# Check current version
uutils --version

# Update to patched version 0.6.0 or later
# Method depends on installation (cargo, package manager, etc.)
cargo install coreutils --version ">=0.6.0"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.