Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-35371

CVE-2026-35371: uutils coreutils Information Disclosure

CVE-2026-35371 is an information disclosure flaw in uutils coreutils affecting the id utility's output when real and effective UIDs differ. This post covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-35371 Overview

CVE-2026-35371 is a User Interface Misrepresentation vulnerability affecting the id utility in uutils coreutils. The vulnerability manifests in the "pretty print" output mode when the real UID and effective UID differ, causing the implementation to incorrectly use the effective GID instead of the effective UID when performing a name lookup for the effective user. This results in misleading diagnostic output that can cause automated scripts or system administrators to make incorrect decisions regarding file permissions or access control.

Critical Impact

Misleading output from the id utility can cause administrators and automated scripts to make incorrect security decisions regarding file permissions and access control, potentially leading to improper privilege assignments.

Affected Products

  • uutils coreutils (specific versions not disclosed)

Discovery Timeline

  • 2026-04-22 - CVE CVE-2026-35371 published to NVD
  • 2026-04-22 - Last updated in NVD database

Technical Details for CVE-2026-35371

Vulnerability Analysis

This vulnerability falls under CWE-451 (User Interface (UI) Misrepresentation of Critical Information). The id utility in uutils coreutils provides critical identity information used by system administrators and automated scripts to make access control decisions. When there is a discrepancy between the real UID and effective UID (a common scenario during privilege escalation operations like setuid programs), the utility's pretty print mode displays incorrect information.

The core issue lies in the name resolution logic where the code incorrectly references the effective GID variable when it should be using the effective UID. This logic error means the displayed username for the effective user may not correspond to the actual effective UID, creating a mismatch between what is displayed and the actual security context of the process.

Root Cause

The root cause is an implementation error in the name lookup logic within the id utility's pretty print functionality. When resolving the effective user's name for display purposes, the code incorrectly passes the effective GID value to the name resolution function instead of the effective UID. This type of variable confusion bug results in the wrong identifier being used for the lookup operation.

Attack Vector

The attack vector is local, requiring an attacker to have local access to a system running the vulnerable uutils coreutils. While the vulnerability itself does not directly enable privilege escalation, it can be exploited in several scenarios:

  1. Automation Exploitation: Scripts that parse id output to make security decisions could be misled into granting inappropriate access or permissions based on the incorrect effective user information.

  2. Administrative Deception: System administrators relying on id output for troubleshooting or auditing could make incorrect assessments about process privileges and access rights.

  3. Security Audit Evasion: The misleading output could potentially mask privilege escalation attempts during security audits if investigators rely on id output to verify process identity.

The vulnerability can manifest in prose form as follows: when a setuid binary executes with a different effective UID than the real UID, running id in pretty print mode will display an incorrect username for the effective user, potentially showing a completely different user than what the effective UID actually represents.

Detection Methods for CVE-2026-35371

Indicators of Compromise

  • Inconsistent output between id pretty print mode and standard output mode when effective and real UIDs differ
  • Discrepancies between reported effective username and actual effective UID values
  • Automated scripts making unexpected permission changes based on identity lookups

Detection Strategies

  • Compare output from id -p with id -u -n to identify inconsistencies in effective user reporting
  • Monitor for systems using uutils coreutils as a replacement for GNU coreutils
  • Audit scripts and automation tools that parse id utility output for access control decisions

Monitoring Recommendations

  • Review system configurations to identify where uutils coreutils is deployed
  • Implement validation in scripts that verify UID values numerically rather than relying solely on username output
  • Monitor for configuration management or access control scripts that depend on id utility output

How to Mitigate CVE-2026-35371

Immediate Actions Required

  • Identify systems running uutils coreutils and audit any scripts or tools that rely on the id utility's pretty print output
  • Modify automation scripts to use numeric UID output (id -u) rather than pretty print mode for access control decisions
  • Consider temporarily switching to GNU coreutils id implementation on critical systems until a patch is available

Patch Information

No official patch information is currently available. For the latest updates and discussion regarding this vulnerability, refer to the GitHub Issue Discussion on the uutils coreutils repository.

Workarounds

  • Use the standard id output format instead of pretty print mode (-p flag) for scripts and automation
  • Validate identity information by cross-referencing multiple sources (e.g., /proc/self/status, getuid() syscalls)
  • Replace uutils coreutils id with GNU coreutils implementation on systems where accurate effective UID reporting is critical
bash
# Configuration example
# Use numeric UID output instead of pretty print for accurate results
# Instead of:
id -p

# Use:
id -u  # Get numeric effective UID
id -un # Get username from effective UID (verify against -u output)

# For scripts requiring identity verification, use numeric comparison:
EFFECTIVE_UID=$(id -u)
if [ "$EFFECTIVE_UID" -eq 0 ]; then
    echo "Running as root"
fi

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.