CVE-2026-35350 Overview
The cp utility in uutils coreutils contains an improper preservation of permissions vulnerability (CWE-281) that affects how setuid and setgid bits are handled when ownership preservation fails. When copying files with the -p (preserve) flag, the utility incorrectly applies the source mode bits even when the chown operation is unsuccessful. This behavior can result in a user-owned copy retaining the original privileged setuid/setgid bits, creating unexpected privileged executables that violate local security policies.
This vulnerability represents a deviation from expected behavior compared to GNU cp, which properly clears these privileged bits when ownership cannot be preserved.
Critical Impact
Local attackers with limited privileges could leverage improperly preserved setuid/setgid bits to create executables that appear to run with elevated permissions, potentially bypassing local security controls and enabling privilege escalation scenarios.
Affected Products
- uutils coreutils (affected versions not specified)
- Systems using uutils coreutils cp utility with -p flag
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-35350 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-35350
Vulnerability Analysis
This vulnerability stems from improper handling of privileged permission bits (setuid and setgid) during file copy operations. When a user invokes the uutils cp command with the -p (preserve) flag, the utility attempts to preserve the original file's attributes including ownership and mode bits. However, when the chown system call fails (typically due to insufficient privileges to change file ownership), the utility proceeds to apply the original mode bits regardless.
The practical impact is significant: if a root-owned executable with setuid bit is copied by an unprivileged user, the copy becomes owned by that user while retaining the setuid bit. While the setuid bit on a non-root-owned file doesn't grant root privileges, this behavior violates the principle of least surprise and can create security policy violations in environments where setuid/setgid bit management is critical.
GNU coreutils cp handles this scenario correctly by clearing the setuid and setgid bits when ownership cannot be preserved, following the POSIX-recommended behavior for privilege bit handling.
Root Cause
The root cause is a logic flaw in the uutils coreutils cp utility's attribute preservation code path. The vulnerability occurs because:
- The utility attempts to preserve ownership via chown
- When chown fails, the error is handled but does not trigger clearing of privileged bits
- The subsequent chmod operation applies the original mode bits including setuid/setgid
- This results in the privileged bits being preserved on a file where they should have been cleared
This represents an Improper Preservation of Permissions (CWE-281) vulnerability where security-relevant permission bits are not properly managed during error conditions.
Attack Vector
The attack vector is local and requires an attacker to have access to a system running the vulnerable uutils coreutils implementation. An attacker would need:
- Local system access with limited user privileges
- Read access to a setuid/setgid binary owned by another user (typically root)
- Write access to a directory where they can create the copy
The exploitation scenario involves copying a privileged binary using cp -p, resulting in a user-owned copy that unexpectedly retains privileged permission bits. While this alone may not directly escalate privileges, it creates potential security policy violations and could be combined with other vulnerabilities.
For technical details on the vulnerability behavior, see the GitHub Issue Discussion.
Detection Methods for CVE-2026-35350
Indicators of Compromise
- Presence of user-owned files with setuid or setgid bits set in unexpected locations
- Audit logs showing cp -p operations on setuid/setgid binaries followed by execution attempts
- Files with setuid/setgid bits that are owned by non-root users in writable directories
Detection Strategies
- Monitor file system for newly created files with setuid (4000) or setgid (2000) permission bits using tools like find / -perm /6000 -type f
- Implement file integrity monitoring (FIM) to detect creation of setuid/setgid files outside of expected system directories
- Audit cp command usage with preservation flags targeting privileged binaries
Monitoring Recommendations
- Enable auditd rules to log chmod and chown syscalls on executables in user-writable directories
- Configure SentinelOne endpoint agents to alert on setuid/setgid file creation events
- Implement periodic scanning for setuid/setgid files in non-standard locations using scheduled security audits
How to Mitigate CVE-2026-35350
Immediate Actions Required
- Review systems for use of uutils coreutils and identify where the cp utility may be invoked with preservation flags
- Audit existing files for improperly set setuid/setgid bits using find / -user <non-root-user> -perm /6000 -type f
- Consider switching to GNU coreutils for critical systems until a patch is available
Patch Information
No official patch has been released at the time of publication. Administrators should monitor the uutils coreutils GitHub repository for updates regarding a security fix. Once a patch is available, update to the patched version immediately.
Workarounds
- Use GNU coreutils cp instead of uutils cp for operations involving setuid/setgid files
- Implement wrapper scripts that strip setuid/setgid bits after copy operations using chmod u-s,g-s
- Apply restrictive mount options (nosuid) on user-writable filesystems to prevent setuid/setgid bit exploitation
- Implement mandatory access control (SELinux, AppArmor) policies to restrict setuid/setgid file creation
# Configuration example
# Find and clear improperly set setuid/setgid bits on user-owned files
find /home -user $(whoami) -perm /6000 -type f -exec chmod u-s,g-s {} \;
# Mount user directories with nosuid to prevent setuid/setgid exploitation
mount -o remount,nosuid /home
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
