CVE-2026-35358 Overview
The cp utility in uutils coreutils contains a vulnerability in its handling of character and block device nodes during recursive copy operations (-R flag). When performing recursive copies, the implementation incorrectly treats device nodes as stream sources, reading their contents into regular files at the destination rather than preserving them using mknod. This behavior destroys device semantics, causing special device files like /dev/null to become regular files.
Critical Impact
This vulnerability can lead to runtime denial of service through disk exhaustion when copying from unbounded device nodes, or process hangs when reading from blocking devices. System integrity is compromised when device file semantics are destroyed during backup or synchronization operations.
Affected Products
- uutils coreutils versions prior to 0.7.0
- Linux and Unix-like systems utilizing uutils coreutils for file operations
- Containerized environments using uutils coreutils for system utilities
Discovery Timeline
- 2026-04-22 - CVE-2026-35358 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-35358
Vulnerability Analysis
This vulnerability stems from improper resource identification (CWE-706) in the uutils coreutils implementation of the cp utility. The core issue lies in how the recursive copy function handles special file types, specifically character and block device nodes.
When the -R flag is used to perform recursive directory copies, the cp utility should recognize device nodes as special file types that require preservation using system calls like mknod() to recreate the device file at the destination with identical major and minor device numbers. Instead, the vulnerable implementation opens these device nodes as regular stream sources and attempts to read their contents.
This behavioral flaw has two significant consequences. First, for bounded devices like /dev/null or /dev/zero, the resulting destination file loses its device semantics entirely, becoming a regular empty file or a file filled with null bytes. Second, for unbounded or blocking devices, the copy operation may consume arbitrary amounts of disk space or hang indefinitely waiting for data that never completes.
The vulnerability requires local access and low privileges to exploit, making it particularly concerning in shared hosting environments, container orchestration systems, or any scenario where automated backup scripts utilize uutils coreutils.
Root Cause
The root cause is the absence of proper file type detection and handling logic within the recursive copy implementation. The code path that processes source files during recursive operations fails to differentiate between regular files and device special files. Instead of checking the file mode bits (S_IFCHR for character devices, S_IFBLK for block devices) and invoking appropriate system calls to preserve device semantics, the implementation universally applies regular file copy logic that opens, reads, and writes byte streams.
Attack Vector
The attack vector is local, requiring an attacker to have the ability to execute the vulnerable cp command with recursive flags on a system where device nodes exist in the source tree. Exploitation scenarios include:
An attacker could craft a directory structure containing symlinks or device nodes that, when copied by an automated backup or synchronization script using the vulnerable cp utility, would result in disk exhaustion. For example, including a reference to /dev/random or /dev/urandom in a backup source would cause the copy operation to continuously read random bytes until disk space is exhausted.
In environments where copied directory structures are expected to maintain device node integrity (such as creating chroot environments or container images), the vulnerability silently corrupts the destination, potentially causing application failures or security issues when the copied environment is used.
The vulnerability mechanism involves the cp utility mishandling device special files during recursive operations. When encountering a character or block device node, rather than using mknod() to preserve the device file, the implementation reads from the device as if it were a regular file and writes the bytes to the destination. Technical details are available in the GitHub Issue #9746 and the corresponding Pull Request #11163.
Detection Methods for CVE-2026-35358
Indicators of Compromise
- Unexpected disk space consumption during routine backup or copy operations
- Regular files appearing in destinations where device nodes should exist (check with ls -la for file type indicators)
- Process hangs or extended CPU usage from cp operations involving directories containing device nodes
- Backup integrity failures when comparing source device nodes against destination files
Detection Strategies
- Monitor for cp processes with recursive flags that exhibit abnormal execution times or resource consumption
- Implement file type validation scripts that compare source and destination file types after copy operations
- Use filesystem monitoring tools to detect unexpected regular file creation in paths typically containing device nodes
- Review system logs for disk quota warnings or out-of-space errors following automated copy operations
Monitoring Recommendations
- Set up alerts for disk utilization spikes that correlate with scheduled backup or synchronization jobs
- Implement process resource limits (ulimit) for automated scripts that perform recursive copies
- Monitor uutils coreutils version across your infrastructure to identify systems running vulnerable versions
- Create integrity checks that validate device node preservation after copy operations complete
How to Mitigate CVE-2026-35358
Immediate Actions Required
- Upgrade uutils coreutils to version 0.7.0 or later, which contains the fix for this vulnerability
- Review automated scripts and backup procedures that use the cp utility with recursive flags
- Audit systems for corrupted device nodes that may have resulted from previous vulnerable copy operations
- Consider using GNU coreutils as an alternative until the upgrade is complete
Patch Information
The vulnerability has been addressed in uutils coreutils version 0.7.0. The fix was implemented through Pull Request #11163, which corrects the handling of character and block device nodes during recursive copy operations. The patched version properly detects device special files and uses mknod() to preserve device semantics at the destination.
The fixed release is available at the GitHub Release v0.7.0.
Workarounds
- Exclude device nodes from recursive copy operations using find with -not -type directives piped to cpio or tar
- Use GNU coreutils cp implementation which correctly handles device nodes during recursive copies
- Implement pre-copy validation scripts that identify device nodes in source directories and handle them separately
- For container or chroot creation workflows, use specialized tools designed for this purpose rather than generic cp utilities
# Configuration example
# Use find and cpio as a workaround to copy directories while properly handling device nodes
find /source/directory -print0 | cpio -pdm0 /destination/directory
# Alternatively, use rsync which handles device nodes correctly
rsync -a --devices /source/directory/ /destination/directory/
# Verify device nodes are preserved after copy
find /destination/directory -type c -o -type b | xargs ls -la
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
