Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-35372

CVE-2026-35372: uutils coreutils ln Privilege Escalation

CVE-2026-35372 is a privilege escalation flaw in the uutils coreutils ln utility caused by improper handling of the --no-dereference flag. Attackers can redirect file creation to sensitive directories. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-35372 Overview

A logic error in the ln utility of uutils coreutils allows the utility to dereference a symbolic link target even when the --no-dereference (or -n) flag is explicitly provided. The implementation previously only honored the "no-dereference" intent if the --force (overwrite) mode was also enabled. This flaw causes ln to follow a symbolic link that points to a directory and create new links inside that target directory instead of treating the symbolic link itself as the destination.

Critical Impact

In environments where a privileged user or system script uses ln -n to update a symlink, a local attacker could manipulate existing symbolic links to redirect file creation into sensitive directories, potentially leading to unauthorized file creation or system misconfiguration.

Affected Products

  • uutils coreutils versions prior to 0.8.0

Discovery Timeline

  • 2026-04-22 - CVE CVE-2026-35372 published to NVD
  • 2026-04-22 - Last updated in NVD database

Technical Details for CVE-2026-35372

Vulnerability Analysis

This vulnerability is classified under CWE-61 (UNIX Symbolic Link Following), representing a symlink attack condition where the ln utility fails to properly implement the --no-dereference flag behavior. The root issue lies in flawed conditional logic that inadvertently couples the no-dereference functionality with the force overwrite mode.

When a user invokes ln -n (or ln --no-dereference) without the -f flag, the utility incorrectly dereferences the target symbolic link. This means that if an attacker can control or predict a symlink's target before a privileged operation occurs, they can redirect where files are created on the filesystem.

The attack requires local access and depends on the presence of a privileged script or user performing symlink operations using the affected utility. While user interaction is required for exploitation, the impact on system integrity can be significant since files may be created in unintended locations.

Root Cause

The root cause is a logic error in the conditional statements governing symbolic link handling within the ln utility's source code. The implementation incorrectly required both --no-dereference AND --force flags to be present for the no-dereference behavior to take effect. Without the force flag, the utility would default to dereferencing symbolic links, violating the expected behavior of the -n flag and contradicting POSIX semantics.

Attack Vector

The attack vector is local, requiring an attacker to have access to the system and the ability to create or manipulate symbolic links in locations where privileged scripts operate. An attacker could:

  1. Identify a privileged script or scheduled task that uses ln -n to update symlinks
  2. Create or manipulate a symbolic link to point to a sensitive directory (e.g., /etc, /usr/bin)
  3. Wait for the privileged operation to execute
  4. The ln utility follows the attacker-controlled symlink and creates files in the sensitive directory

This exploitation technique could lead to unauthorized file creation, configuration tampering, or potential privilege escalation depending on what files are being linked and where they end up.

The vulnerability requires local access with low privileges and some form of user interaction (the privileged script must run), but the resulting integrity impact can be significant since files may be written to security-critical directories.

Detection Methods for CVE-2026-35372

Indicators of Compromise

  • Unexpected symbolic links in directories where privileged scripts perform ln operations
  • Files appearing in sensitive system directories that were not intentionally placed there
  • Modified symbolic links in automated deployment or configuration management paths

Detection Strategies

  • Audit system scripts and cron jobs for usage of the ln command with the -n flag without -f
  • Monitor file creation events in sensitive directories using file integrity monitoring tools
  • Review system logs for unexpected symlink operations performed by privileged users or services

Monitoring Recommendations

  • Implement file integrity monitoring (FIM) on critical system directories such as /etc, /usr/bin, and /var
  • Configure auditd rules to track symlink-related syscalls (symlink, symlinkat, rename)
  • Monitor process execution for ln commands executed by root or system service accounts

How to Mitigate CVE-2026-35372

Immediate Actions Required

  • Update uutils coreutils to version 0.8.0 or later where this logic error has been corrected
  • Review and audit any system scripts or automation that use ln -n without the force flag
  • Temporarily add the -f flag to ln -n commands in critical scripts as a workaround until patching is complete

Patch Information

The vulnerability has been addressed in uutils coreutils version 0.8.0. The fix corrects the conditional logic to ensure that the --no-dereference flag is honored independently of whether --force mode is enabled.

For technical details on the fix, refer to the GitHub Pull Request #11253. The patched release is available at the GitHub Release 0.8.0.

Workarounds

  • Use ln -nf instead of ln -n in scripts to ensure the no-dereference behavior is activated (note: this enables overwrite mode)
  • Switch to GNU coreutils ln temporarily if uutils cannot be immediately updated
  • Implement additional validation in scripts to verify symlink targets before performing link operations
  • Restrict write permissions on directories where symlinks are manipulated by privileged processes
bash
# Temporary workaround: Use -f flag with -n to ensure no-dereference behavior
# Before (vulnerable if uutils < 0.8.0):
# ln -n /path/to/link_target /path/to/symlink

# After (workaround):
ln -nf /path/to/link_target /path/to/symlink

# Or verify and update to patched version:
# Check current version
uutils --version

# Update to 0.8.0 or later via your package manager or from source

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.