CVE-2026-35340 Overview
A flaw in the ChownExecutor used by uutils coreutils chown and chgrp causes the utilities to return an incorrect exit code during recursive operations. The final exit code is determined only by the last file processed. If the last operation succeeds, the command returns 0 even if earlier ownership or group changes failed due to permission errors. This can lead to security misconfigurations where administrative scripts incorrectly assume that ownership has been successfully transferred across a directory tree.
Critical Impact
Administrative scripts relying on exit codes may silently fail to detect permission errors during bulk ownership changes, leading to security misconfigurations and files remaining with incorrect ownership permissions.
Affected Products
- uutils coreutils (versions prior to 0.6.0)
- Systems using uutils coreutils chown utility
- Systems using uutils coreutils chgrp utility
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-35340 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-35340
Vulnerability Analysis
This vulnerability (CWE-253: Incorrect Check of Function Return Value) affects the ChownExecutor component within uutils coreutils. The core issue lies in how the executor handles exit codes during recursive directory traversal operations. When performing bulk ownership changes across a directory tree, the implementation incorrectly determines the final exit status based solely on the outcome of the last file operation processed, rather than aggregating the results of all operations.
This behavior creates a significant blind spot for automated processes and administrative scripts that depend on exit codes to verify successful execution. In a typical deployment scenario, if the recursive operation encounters permission errors on several files but the final file in the traversal succeeds, the command returns exit code 0 (success), masking all previous failures.
Root Cause
The root cause stems from improper handling of cumulative exit status within the ChownExecutor. Rather than maintaining a running error state that captures any failures throughout the recursive operation, the implementation overwrites the exit code with each file operation's result. This design flaw means the exit code reflects only the last operation's outcome, violating the expected Unix convention where non-zero exit codes indicate any failure during execution.
Attack Vector
This vulnerability requires local access to exploit. An attacker with limited privileges could exploit this behavior in environments where automated scripts perform ownership changes based on exit code verification:
Script Manipulation: An attacker could arrange file system contents so that the last file in a recursive traversal is one they control or can successfully modify, while earlier files with sensitive content remain unchanged due to permission errors.
Security Automation Bypass: Compliance scripts that verify ownership changes succeed based on exit codes would incorrectly report success, leaving files with improper ownership.
Privilege Boundary Confusion: In multi-tenant environments, this could result in files remaining accessible to unintended users when ownership transfer scripts silently fail.
The vulnerability manifests in the ChownExecutor's recursive operation handling. When processing a directory tree, the exit code tracking only retains the result of the final file operation rather than aggregating failures. See the GitHub Pull Request for Coreutils for technical implementation details.
Detection Methods for CVE-2026-35340
Indicators of Compromise
- Administrative scripts reporting successful ownership changes when files still have incorrect permissions
- Log entries showing permission denied errors during chown or chgrp operations while script exit codes indicate success
- Files within recursively processed directories retaining original ownership despite script completion
- Discrepancies between expected and actual file ownership in directories processed by uutils coreutils
Detection Strategies
- Audit scripts that rely on chown or chgrp exit codes for success verification
- Implement post-execution ownership verification using find commands with -user or -group predicates
- Compare expected ownership states against actual file system states after bulk operations
- Monitor for uutils coreutils versions prior to 0.6.0 in system inventories
Monitoring Recommendations
- Implement file integrity monitoring to detect ownership mismatches after administrative operations
- Add secondary verification steps in deployment scripts that explicitly check file ownership
- Log and alert on permission denied errors during recursive ownership operations regardless of exit code
- Review automation pipelines that perform bulk ownership changes for proper error handling
How to Mitigate CVE-2026-35340
Immediate Actions Required
- Upgrade uutils coreutils to version 0.6.0 or later
- Audit existing scripts that use recursive chown or chgrp operations for proper error handling
- Implement secondary verification mechanisms that do not rely solely on exit codes
- Consider temporarily using GNU coreutils for critical ownership operations until upgrade is complete
Patch Information
The vulnerability has been addressed in uutils coreutils version 0.6.0. The fix ensures that the exit code properly reflects any failures encountered during recursive operations. For detailed patch information, see the GitHub Coreutils Release 0.6.0. The related pull request containing the fix is available at GitHub Pull Request for Coreutils.
Workarounds
- Add explicit ownership verification after recursive operations using commands like find /path -not -user expected_user
- Capture and parse stderr output for permission errors rather than relying on exit codes
- Implement wrapper scripts that track failures during recursive operations independently
- Use alternative coreutils implementations (such as GNU coreutils) for critical security operations until patching is complete
# Workaround: Verify ownership after recursive chown
chown -R user:group /target/directory
# Verify all files have correct ownership
if find /target/directory -not -user user -o -not -group group | grep -q .; then
echo "ERROR: Some files were not changed successfully"
exit 1
fi
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
