CVE-2026-35371 Overview
CVE-2026-35371 is a User Interface Misrepresentation vulnerability affecting the id utility in uutils coreutils. The vulnerability manifests in the "pretty print" output mode when the real UID and effective UID differ, causing the implementation to incorrectly use the effective GID instead of the effective UID when performing a name lookup for the effective user. This results in misleading diagnostic output that can cause automated scripts or system administrators to make incorrect decisions regarding file permissions or access control.
Critical Impact
Misleading output from the id utility can cause administrators and automated scripts to make incorrect security decisions regarding file permissions and access control, potentially leading to improper privilege assignments.
Affected Products
- uutils coreutils (specific versions not disclosed)
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-35371 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-35371
Vulnerability Analysis
This vulnerability falls under CWE-451 (User Interface (UI) Misrepresentation of Critical Information). The id utility in uutils coreutils provides critical identity information used by system administrators and automated scripts to make access control decisions. When there is a discrepancy between the real UID and effective UID (a common scenario during privilege escalation operations like setuid programs), the utility's pretty print mode displays incorrect information.
The core issue lies in the name resolution logic where the code incorrectly references the effective GID variable when it should be using the effective UID. This logic error means the displayed username for the effective user may not correspond to the actual effective UID, creating a mismatch between what is displayed and the actual security context of the process.
Root Cause
The root cause is an implementation error in the name lookup logic within the id utility's pretty print functionality. When resolving the effective user's name for display purposes, the code incorrectly passes the effective GID value to the name resolution function instead of the effective UID. This type of variable confusion bug results in the wrong identifier being used for the lookup operation.
Attack Vector
The attack vector is local, requiring an attacker to have local access to a system running the vulnerable uutils coreutils. While the vulnerability itself does not directly enable privilege escalation, it can be exploited in several scenarios:
Automation Exploitation: Scripts that parse id output to make security decisions could be misled into granting inappropriate access or permissions based on the incorrect effective user information.
Administrative Deception: System administrators relying on id output for troubleshooting or auditing could make incorrect assessments about process privileges and access rights.
Security Audit Evasion: The misleading output could potentially mask privilege escalation attempts during security audits if investigators rely on id output to verify process identity.
The vulnerability can manifest in prose form as follows: when a setuid binary executes with a different effective UID than the real UID, running id in pretty print mode will display an incorrect username for the effective user, potentially showing a completely different user than what the effective UID actually represents.
Detection Methods for CVE-2026-35371
Indicators of Compromise
- Inconsistent output between id pretty print mode and standard output mode when effective and real UIDs differ
- Discrepancies between reported effective username and actual effective UID values
- Automated scripts making unexpected permission changes based on identity lookups
Detection Strategies
- Compare output from id -p with id -u -n to identify inconsistencies in effective user reporting
- Monitor for systems using uutils coreutils as a replacement for GNU coreutils
- Audit scripts and automation tools that parse id utility output for access control decisions
Monitoring Recommendations
- Review system configurations to identify where uutils coreutils is deployed
- Implement validation in scripts that verify UID values numerically rather than relying solely on username output
- Monitor for configuration management or access control scripts that depend on id utility output
How to Mitigate CVE-2026-35371
Immediate Actions Required
- Identify systems running uutils coreutils and audit any scripts or tools that rely on the id utility's pretty print output
- Modify automation scripts to use numeric UID output (id -u) rather than pretty print mode for access control decisions
- Consider temporarily switching to GNU coreutils id implementation on critical systems until a patch is available
Patch Information
No official patch information is currently available. For the latest updates and discussion regarding this vulnerability, refer to the GitHub Issue Discussion on the uutils coreutils repository.
Workarounds
- Use the standard id output format instead of pretty print mode (-p flag) for scripts and automation
- Validate identity information by cross-referencing multiple sources (e.g., /proc/self/status, getuid() syscalls)
- Replace uutils coreutils id with GNU coreutils implementation on systems where accurate effective UID reporting is critical
# Configuration example
# Use numeric UID output instead of pretty print for accurate results
# Instead of:
id -p
# Use:
id -u # Get numeric effective UID
id -un # Get username from effective UID (verify against -u output)
# For scripts requiring identity verification, use numeric comparison:
EFFECTIVE_UID=$(id -u)
if [ "$EFFECTIVE_UID" -eq 0 ]; then
echo "Running as root"
fi
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
