CVE-2026-35370 Overview
The id utility in uutils coreutils contains an Incorrect Authorization vulnerability (CWE-863) that causes miscalculation of the groups= section in its output. The implementation erroneously uses a user's real GID instead of their effective GID when computing the group list, resulting in divergent output compared to GNU coreutils. This discrepancy poses significant security risks as many scripts and automated processes rely on the output of id to make security-critical access-control or permission decisions.
Critical Impact
Incorrect group membership reporting can lead to unauthorized access or security misconfigurations when scripts rely on id output for access control decisions.
Affected Products
- uutils coreutils (versions affected not specified)
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-35370 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-35370
Vulnerability Analysis
This vulnerability stems from incorrect implementation logic in the id utility's group enumeration functionality. The core issue is an Incorrect Authorization flaw where the utility uses the real GID (Group ID) rather than the effective GID when building the list of groups a user belongs to.
In Unix-like systems, processes operate with both a real GID (inherited from the parent process, typically the user's login group) and an effective GID (which determines actual permissions for file access and other operations). These values can differ in various scenarios, particularly when setgid programs are executed or when group privileges are temporarily elevated.
When the id utility reports the wrong set of groups due to using real GID instead of effective GID, downstream security decisions based on this output become unreliable. This is particularly dangerous in automated systems, deployment scripts, and access control mechanisms that parse id output to determine user capabilities.
Root Cause
The root cause is an implementation error in the uutils coreutils id utility where the code path responsible for computing group membership incorrectly references the real GID (getgid()) instead of the effective GID (getegid()). This causes the computed group list to be based on the wrong privilege context, leading to output that diverges from the expected GNU coreutils behavior.
Attack Vector
This vulnerability requires local access to exploit. An attacker with local system access could potentially leverage the incorrect group reporting in scenarios where:
- Security scripts or access control mechanisms parse the output of id to determine user permissions
- The discrepancy between real and effective GID creates a window where unauthorized access is granted based on incorrect group membership information
- Automated provisioning or deployment systems make security decisions based on the flawed output
The vulnerability is exploitable when the system uses uutils coreutils instead of GNU coreutils and has security-sensitive processes that depend on accurate id output for authorization decisions. For detailed technical discussion, see the GitHub Coreutils Issue Discussion.
Detection Methods for CVE-2026-35370
Indicators of Compromise
- Unexpected access control decisions or permission grants in systems using uutils coreutils
- Discrepancies between expected and actual group membership when comparing id output across different coreutils implementations
- Security audit logs showing access granted to resources that should be restricted based on group membership
Detection Strategies
- Compare output of id command between uutils coreutils and GNU coreutils implementations to identify discrepancies
- Review security scripts and automated processes that parse id output for access control decisions
- Audit systems where setgid programs or group privilege escalation mechanisms are in use
Monitoring Recommendations
- Monitor for unexpected access patterns in systems where uutils coreutils is deployed
- Implement logging for access control decisions that rely on group membership verification
- Track any security-sensitive operations that depend on the id utility output
How to Mitigate CVE-2026-35370
Immediate Actions Required
- Identify all systems using uutils coreutils and assess whether security-critical processes depend on id output
- Consider temporarily switching to GNU coreutils for systems with security-sensitive id usage
- Review and audit scripts that make access control decisions based on id command output
- Implement alternative methods for group membership verification where possible
Patch Information
Monitor the uutils coreutils GitHub repository for updates and patches addressing this issue. Apply the official fix once available from the uutils coreutils maintainers.
Workarounds
- Use GNU coreutils id utility instead of uutils coreutils on security-sensitive systems
- Implement direct system calls to getegid() and getgroups() in security-critical scripts rather than parsing id output
- Add validation logic to compare real and effective GID when making access control decisions
- Consider using alternative group membership verification methods such as checking /etc/group directly or using dedicated security libraries
# Workaround: Use GNU coreutils id explicitly
# Verify which id binary is in use
which id
/usr/bin/id --version
# If using uutils, specify GNU coreutils path directly
/usr/bin/gnu-id # Path may vary by distribution
# Alternative: Check effective GID directly
id -g # Shows effective GID
id -gr # Shows real GID (compare these values)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
