Privilege Escalation Vulnerability in uutils Coreutils by uutils
CVE-2026-35350

6.6MEDIUM

Key Information:

Vendor: Uutils
Status: Coreutils
Vendor: CVE Published:; 22 April 2026

What is CVE-2026-35350?

The cp utility within uutils coreutils is prone to a security flaw that inadequately manages setuid and setgid bits when attempts to preserve ownership fail. When utilizing the -p (preserve) flag, it retains the mode bits from the source, even if the ownership change fails. This oversight can lead to a scenario where a user-owned copy of a file maintains privileged mode bits, potentially resulting in unauthorized execution of privileged commands that breach local security protocols. Unlike GNU cp, which rectifies this by clearing such bits when ownership preservation is not possible, uutils coreutils exhibits this vulnerability, prompting substantial security concerns.

References

https://github.com/uutils/coreutils/issues/9750

issue-tracking

CVSS V3.1

Score:

6.6

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 22, 2026
Vulnerability Reserved
Apr 2, 2026

Credit

Zellic

CVE-2026-35350 Data

JSON

Uutils

What is CVE-2026-35350?

References

CVSS V3.1

Timeline

Credit