CVE-2026-35369 Overview
An argument parsing error in the kill utility of uutils coreutils incorrectly interprets kill -1 as a request to send the default signal (SIGTERM) to PID -1. Sending a signal to PID -1 causes the kernel to terminate all processes visible to the caller, potentially leading to a system crash or massive process termination. This differs from GNU coreutils, which correctly recognizes -1 as a signal number in this context and would instead report a missing PID argument.
Critical Impact
Local users executing kill -1 could inadvertently terminate all processes they have permission to signal, causing system instability, data loss, or complete system unavailability.
Affected Products
- uutils coreutils (versions prior to 0.6.0)
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-35369 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-35369
Vulnerability Analysis
This vulnerability stems from improper input validation (CWE-20) in the argument parsing logic of the kill utility within uutils coreutils. When a user invokes kill -1, the utility misinterprets the argument. Instead of recognizing -1 as specifying signal number 1 (SIGHUP), the parser incorrectly treats it as a request to send the default signal (SIGTERM) to process ID -1.
In Unix-like operating systems, PID -1 is a special value. When a signal is sent to PID -1, the kernel broadcasts that signal to all processes that the calling user has permission to signal, excluding the init process. This behavior is intentional and documented in the kill(2) system call, but it should never be triggered unintentionally due to argument parsing errors.
The root cause is a deviation from the argument parsing behavior of GNU coreutils. The GNU implementation correctly identifies -1 in this context as a signal specification and reports a missing PID argument error, preventing any signal from being sent. The uutils implementation fails to make this distinction, leading to potentially catastrophic results.
Root Cause
The vulnerability is caused by improper input validation in the argument parsing logic of the kill command. The parser fails to correctly distinguish between signal number arguments (which should be validated as signal identifiers) and target PID arguments. When -1 is passed without an explicit signal flag (like -s), the utility should recognize it as an ambiguous or malformed command. Instead, it defaults to sending SIGTERM to the interpreted PID value of -1.
This is a behavioral compatibility issue where uutils coreutils deviates from the expected behavior established by GNU coreutils, creating a potentially dangerous footgun for users migrating between implementations or expecting POSIX-compliant behavior.
Attack Vector
The vulnerability requires local access to execute. An attacker or an unwitting user with shell access could trigger mass process termination by running kill -1. The attack does not require elevated privileges beyond standard user access, though the impact is limited to processes the user has permission to signal. For privileged users (root), this could terminate nearly all system processes, causing a complete system failure.
The exploitation scenario is particularly dangerous in scripts or automated systems where kill -1 might be used with the expectation of GNU coreutils behavior (sending SIGHUP). Such scripts could inadvertently cause widespread service disruption when run on systems using uutils coreutils.
Detection Methods for CVE-2026-35369
Indicators of Compromise
- Sudden, unexplained termination of multiple processes across the system
- System logs showing SIGTERM signals received by numerous unrelated processes simultaneously
- Application crashes or service outages coinciding with kill command execution
- Audit logs showing kill -1 invocations immediately before mass process termination events
Detection Strategies
- Monitor for execution of kill -1 commands on systems running uutils coreutils
- Implement auditd rules to log all kill command invocations with signal-like arguments
- Review shell history logs for patterns matching kill -1 or kill -[0-9]+ without explicit target PIDs
- Compare installed coreutils version against known affected versions using package management tools
Monitoring Recommendations
- Deploy process monitoring to detect abnormal rates of process termination events
- Configure alerting for sudden drops in running process counts outside of maintenance windows
- Establish baseline process counts and alert when significant deviations occur
- Monitor system stability metrics that could indicate mass process termination
How to Mitigate CVE-2026-35369
Immediate Actions Required
- Upgrade uutils coreutils to version 0.6.0 or later immediately
- Audit scripts and automation that use the kill command for potentially affected invocations
- Consider temporarily aliasing or wrapping the kill command to validate arguments before execution
- Review recent system instability incidents that may have been caused by this vulnerability
Patch Information
The vulnerability has been addressed in uutils coreutils version 0.6.0. Users should update to this version or later to resolve the argument parsing issue. The fix corrects the argument parsing logic to properly identify signal number arguments versus PID arguments, aligning behavior with GNU coreutils.
For additional details on the fix, refer to the GitHub Pull Request Discussion and the GitHub Coreutils Release 0.6.0.
Workarounds
- Use explicit signal syntax when invoking kill, such as kill -s HUP <pid> instead of kill -1
- Temporarily switch to GNU coreutils kill utility if upgrading is not immediately feasible
- Implement shell aliases or wrapper scripts that validate kill arguments before execution
- Restrict shell access on critical systems until the patch can be applied
# Workaround: Use explicit signal syntax to avoid ambiguity
# Instead of: kill -1
# Use: kill -s HUP <pid>
# Example wrapper function for .bashrc to catch dangerous invocations
kill() {
if [[ "$1" == "-1" && -z "$2" ]]; then
echo "Warning: 'kill -1' is ambiguous. Use 'kill -s HUP <pid>' instead." >&2
return 1
fi
command kill "$@"
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
