Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-35340

CVE-2026-35340: uutils coreutils Privilege Escalation

CVE-2026-35340 is a privilege escalation flaw in uutils coreutils chown and chgrp that causes incorrect exit codes during recursive operations, potentially leading to security misconfigurations in scripts.

Published:

CVE-2026-35340 Overview

A flaw in the ChownExecutor used by uutils coreutils chown and chgrp causes the utilities to return an incorrect exit code during recursive operations. The final exit code is determined only by the last file processed. If the last operation succeeds, the command returns 0 even if earlier ownership or group changes failed due to permission errors. This can lead to security misconfigurations where administrative scripts incorrectly assume that ownership has been successfully transferred across a directory tree.

Critical Impact

Administrative scripts relying on exit codes may silently fail to detect permission errors during bulk ownership changes, leading to security misconfigurations and files remaining with incorrect ownership permissions.

Affected Products

  • uutils coreutils (versions prior to 0.6.0)
  • Systems using uutils coreutils chown utility
  • Systems using uutils coreutils chgrp utility

Discovery Timeline

  • 2026-04-22 - CVE CVE-2026-35340 published to NVD
  • 2026-04-22 - Last updated in NVD database

Technical Details for CVE-2026-35340

Vulnerability Analysis

This vulnerability (CWE-253: Incorrect Check of Function Return Value) affects the ChownExecutor component within uutils coreutils. The core issue lies in how the executor handles exit codes during recursive directory traversal operations. When performing bulk ownership changes across a directory tree, the implementation incorrectly determines the final exit status based solely on the outcome of the last file operation processed, rather than aggregating the results of all operations.

This behavior creates a significant blind spot for automated processes and administrative scripts that depend on exit codes to verify successful execution. In a typical deployment scenario, if the recursive operation encounters permission errors on several files but the final file in the traversal succeeds, the command returns exit code 0 (success), masking all previous failures.

Root Cause

The root cause stems from improper handling of cumulative exit status within the ChownExecutor. Rather than maintaining a running error state that captures any failures throughout the recursive operation, the implementation overwrites the exit code with each file operation's result. This design flaw means the exit code reflects only the last operation's outcome, violating the expected Unix convention where non-zero exit codes indicate any failure during execution.

Attack Vector

This vulnerability requires local access to exploit. An attacker with limited privileges could exploit this behavior in environments where automated scripts perform ownership changes based on exit code verification:

  1. Script Manipulation: An attacker could arrange file system contents so that the last file in a recursive traversal is one they control or can successfully modify, while earlier files with sensitive content remain unchanged due to permission errors.

  2. Security Automation Bypass: Compliance scripts that verify ownership changes succeed based on exit codes would incorrectly report success, leaving files with improper ownership.

  3. Privilege Boundary Confusion: In multi-tenant environments, this could result in files remaining accessible to unintended users when ownership transfer scripts silently fail.

The vulnerability manifests in the ChownExecutor's recursive operation handling. When processing a directory tree, the exit code tracking only retains the result of the final file operation rather than aggregating failures. See the GitHub Pull Request for Coreutils for technical implementation details.

Detection Methods for CVE-2026-35340

Indicators of Compromise

  • Administrative scripts reporting successful ownership changes when files still have incorrect permissions
  • Log entries showing permission denied errors during chown or chgrp operations while script exit codes indicate success
  • Files within recursively processed directories retaining original ownership despite script completion
  • Discrepancies between expected and actual file ownership in directories processed by uutils coreutils

Detection Strategies

  • Audit scripts that rely on chown or chgrp exit codes for success verification
  • Implement post-execution ownership verification using find commands with -user or -group predicates
  • Compare expected ownership states against actual file system states after bulk operations
  • Monitor for uutils coreutils versions prior to 0.6.0 in system inventories

Monitoring Recommendations

  • Implement file integrity monitoring to detect ownership mismatches after administrative operations
  • Add secondary verification steps in deployment scripts that explicitly check file ownership
  • Log and alert on permission denied errors during recursive ownership operations regardless of exit code
  • Review automation pipelines that perform bulk ownership changes for proper error handling

How to Mitigate CVE-2026-35340

Immediate Actions Required

  • Upgrade uutils coreutils to version 0.6.0 or later
  • Audit existing scripts that use recursive chown or chgrp operations for proper error handling
  • Implement secondary verification mechanisms that do not rely solely on exit codes
  • Consider temporarily using GNU coreutils for critical ownership operations until upgrade is complete

Patch Information

The vulnerability has been addressed in uutils coreutils version 0.6.0. The fix ensures that the exit code properly reflects any failures encountered during recursive operations. For detailed patch information, see the GitHub Coreutils Release 0.6.0. The related pull request containing the fix is available at GitHub Pull Request for Coreutils.

Workarounds

  • Add explicit ownership verification after recursive operations using commands like find /path -not -user expected_user
  • Capture and parse stderr output for permission errors rather than relying on exit codes
  • Implement wrapper scripts that track failures during recursive operations independently
  • Use alternative coreutils implementations (such as GNU coreutils) for critical security operations until patching is complete
bash
# Workaround: Verify ownership after recursive chown
chown -R user:group /target/directory
# Verify all files have correct ownership
if find /target/directory -not -user user -o -not -group group | grep -q .; then
    echo "ERROR: Some files were not changed successfully"
    exit 1
fi

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.