CVE-2026-35372 Overview
A logic error in the ln utility of uutils coreutils allows the utility to dereference a symbolic link target even when the --no-dereference (or -n) flag is explicitly provided. The implementation previously only honored the "no-dereference" intent if the --force (overwrite) mode was also enabled. This flaw causes ln to follow a symbolic link that points to a directory and create new links inside that target directory instead of treating the symbolic link itself as the destination.
Critical Impact
In environments where a privileged user or system script uses ln -n to update a symlink, a local attacker could manipulate existing symbolic links to redirect file creation into sensitive directories, potentially leading to unauthorized file creation or system misconfiguration.
Affected Products
- uutils coreutils versions prior to 0.8.0
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-35372 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-35372
Vulnerability Analysis
This vulnerability is classified under CWE-61 (UNIX Symbolic Link Following), representing a symlink attack condition where the ln utility fails to properly implement the --no-dereference flag behavior. The root issue lies in flawed conditional logic that inadvertently couples the no-dereference functionality with the force overwrite mode.
When a user invokes ln -n (or ln --no-dereference) without the -f flag, the utility incorrectly dereferences the target symbolic link. This means that if an attacker can control or predict a symlink's target before a privileged operation occurs, they can redirect where files are created on the filesystem.
The attack requires local access and depends on the presence of a privileged script or user performing symlink operations using the affected utility. While user interaction is required for exploitation, the impact on system integrity can be significant since files may be created in unintended locations.
Root Cause
The root cause is a logic error in the conditional statements governing symbolic link handling within the ln utility's source code. The implementation incorrectly required both --no-dereference AND --force flags to be present for the no-dereference behavior to take effect. Without the force flag, the utility would default to dereferencing symbolic links, violating the expected behavior of the -n flag and contradicting POSIX semantics.
Attack Vector
The attack vector is local, requiring an attacker to have access to the system and the ability to create or manipulate symbolic links in locations where privileged scripts operate. An attacker could:
- Identify a privileged script or scheduled task that uses ln -n to update symlinks
- Create or manipulate a symbolic link to point to a sensitive directory (e.g., /etc, /usr/bin)
- Wait for the privileged operation to execute
- The ln utility follows the attacker-controlled symlink and creates files in the sensitive directory
This exploitation technique could lead to unauthorized file creation, configuration tampering, or potential privilege escalation depending on what files are being linked and where they end up.
The vulnerability requires local access with low privileges and some form of user interaction (the privileged script must run), but the resulting integrity impact can be significant since files may be written to security-critical directories.
Detection Methods for CVE-2026-35372
Indicators of Compromise
- Unexpected symbolic links in directories where privileged scripts perform ln operations
- Files appearing in sensitive system directories that were not intentionally placed there
- Modified symbolic links in automated deployment or configuration management paths
Detection Strategies
- Audit system scripts and cron jobs for usage of the ln command with the -n flag without -f
- Monitor file creation events in sensitive directories using file integrity monitoring tools
- Review system logs for unexpected symlink operations performed by privileged users or services
Monitoring Recommendations
- Implement file integrity monitoring (FIM) on critical system directories such as /etc, /usr/bin, and /var
- Configure auditd rules to track symlink-related syscalls (symlink, symlinkat, rename)
- Monitor process execution for ln commands executed by root or system service accounts
How to Mitigate CVE-2026-35372
Immediate Actions Required
- Update uutils coreutils to version 0.8.0 or later where this logic error has been corrected
- Review and audit any system scripts or automation that use ln -n without the force flag
- Temporarily add the -f flag to ln -n commands in critical scripts as a workaround until patching is complete
Patch Information
The vulnerability has been addressed in uutils coreutils version 0.8.0. The fix corrects the conditional logic to ensure that the --no-dereference flag is honored independently of whether --force mode is enabled.
For technical details on the fix, refer to the GitHub Pull Request #11253. The patched release is available at the GitHub Release 0.8.0.
Workarounds
- Use ln -nf instead of ln -n in scripts to ensure the no-dereference behavior is activated (note: this enables overwrite mode)
- Switch to GNU coreutils ln temporarily if uutils cannot be immediately updated
- Implement additional validation in scripts to verify symlink targets before performing link operations
- Restrict write permissions on directories where symlinks are manipulated by privileged processes
# Temporary workaround: Use -f flag with -n to ensure no-dereference behavior
# Before (vulnerable if uutils < 0.8.0):
# ln -n /path/to/link_target /path/to/symlink
# After (workaround):
ln -nf /path/to/link_target /path/to/symlink
# Or verify and update to patched version:
# Check current version
uutils --version
# Update to 0.8.0 or later via your package manager or from source
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
