CVE-2026-35365 Overview
A symlink attack vulnerability exists in the mv utility of uutils coreutils that improperly handles directory trees containing symbolic links during move operations across filesystem boundaries. Instead of preserving symlinks as intended, the implementation expands them, copying the linked targets as real files or directories at the destination. This behavior can lead to resource exhaustion (disk space or time) if symlinks point to large external directories, unexpected duplication of sensitive data into unintended locations, or infinite recursion and repeated copying in the presence of symlink loops.
Critical Impact
This vulnerability can cause resource exhaustion, data duplication into unintended locations, and infinite recursion when moving directories containing symbolic links across filesystem boundaries.
Affected Products
- uutils coreutils (versions prior to 0.7.0)
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-35365 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-35365
Vulnerability Analysis
This vulnerability is classified under CWE-59 (Improper Link Resolution Before File Access), commonly known as a symlink attack. The core issue lies in how the mv utility handles symbolic links when moving directory trees across filesystem boundaries. When a move operation cannot be performed atomically (because source and destination reside on different filesystems), the utility must fall back to copying the content and then deleting the source. During this copy phase, the implementation incorrectly follows and expands symbolic links rather than preserving them as symlinks at the destination.
The improper symlink resolution creates multiple security and operational concerns. An attacker or even an unintentional configuration could leverage this behavior to cause disk exhaustion by creating symlinks that point to large directories outside the intended scope. When the mv utility expands these symlinks, it copies the entire target content, potentially filling up disk space rapidly.
Additionally, this vulnerability enables sensitive data to be duplicated into unintended locations. If a symlink within the directory tree points to a sensitive directory such as /etc or user home directories, the move operation would copy that sensitive data to the destination path, potentially exposing it to unauthorized access.
The presence of symlink loops presents a particularly dangerous scenario. Without proper loop detection, the utility can enter infinite recursion, continuously copying the same content and consuming both CPU time and disk space until system resources are exhausted.
Root Cause
The root cause of this vulnerability is the improper handling of symbolic links in the mv utility's cross-filesystem move logic. When moving directories across filesystem boundaries, the implementation follows symbolic links and copies their targets instead of preserving the symlinks as-is. The code lacks proper symlink detection and preservation mechanisms during the copy phase of cross-filesystem moves.
Attack Vector
This vulnerability requires local access to exploit. An attacker with the ability to create directories and symbolic links on a system running the vulnerable mv utility can craft a malicious directory structure. By creating symlinks pointing to large directories, sensitive locations, or creating symlink loops, and then triggering a move operation across filesystem boundaries, the attacker can cause resource exhaustion, information disclosure, or denial of service.
The attack scenario involves creating a directory with carefully crafted symbolic links, then using the mv command (or having another process or user invoke it) to move that directory to a different filesystem mount point. When the vulnerable utility processes this operation, it will expand the symlinks rather than preserve them.
Detection Methods for CVE-2026-35365
Indicators of Compromise
- Unexpectedly large disk space consumption following mv operations
- Duplicate copies of sensitive files appearing in unexpected directories after move operations
- System resource exhaustion (CPU, disk I/O) during directory move operations
- Processes stuck in recursive copy loops involving the mv utility
Detection Strategies
- Monitor for unusual disk space consumption patterns, particularly following file management operations
- Implement file integrity monitoring to detect unexpected duplication of sensitive files
- Track mv command execution and correlate with abnormal resource usage patterns
- Audit systems for uutils coreutils version to identify vulnerable installations
Monitoring Recommendations
- Configure system monitoring to alert on rapid disk space consumption
- Set up process monitoring to detect long-running mv operations that may indicate infinite loops
- Enable filesystem auditing to track cross-filesystem move operations
- Monitor for unexpected file creation in sensitive directories
How to Mitigate CVE-2026-35365
Immediate Actions Required
- Upgrade uutils coreutils to version 0.7.0 or later
- Audit systems to identify installations of vulnerable uutils coreutils versions
- Review recent mv operations across filesystem boundaries for potential impact
- Consider temporarily using GNU coreutils mv as an alternative until upgrade is complete
Patch Information
The vulnerability has been addressed in uutils coreutils version 0.7.0. The fix ensures proper symlink handling during cross-filesystem move operations. Users should upgrade to this version or later to remediate the vulnerability. Technical details of the fix are available in the GitHub Pull Request #10546, and the fixed release is documented in the uutils coreutils 0.7.0 Release Notes.
Workarounds
- Avoid moving directory trees containing symbolic links across filesystem boundaries using the vulnerable mv utility
- Use the cp -P option followed by rm to manually perform cross-filesystem moves while preserving symlinks
- Implement pre-move validation scripts that detect and warn about symlinks in directory trees before cross-filesystem operations
- Consider using alternative tools like rsync -a which properly handles symlinks during cross-filesystem transfers
# Example workaround: Use rsync with symlink preservation
rsync -av --progress /source/directory/ /destination/on/other/fs/
rm -rf /source/directory
# Alternative: Use cp with -P flag to preserve symlinks
cp -rP /source/directory /destination/on/other/fs/
rm -rf /source/directory
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
