File Ownership Vulnerability in uutils Coreutils by Uutils
CVE-2026-35351

4.2MEDIUM

Key Information:

Vendor: Uutils
Status: Coreutils
Vendor: CVE Published:; 22 April 2026

What is CVE-2026-35351?

The mv utility in uutils coreutils has a flaw where it fails to retain original file ownership when files are moved across different filesystem boundaries. Instead of preserving the source file's UID/GID, it resorts to a copy-and-delete method, assigning the destination file the caller's UID/GID. This can result in files unintentionally being owned by root when moved by a privileged user. Such mismanagement of file ownership during critical operations can lead to significant data integrity issues, potentially exposing sensitive information and hindering access for legitimate users.

References

https://github.com/uutils/coreutils/issues/9714

issue-tracking

CVSS V3.1

Score:

4.2

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 22, 2026
Vulnerability Reserved
Apr 2, 2026

Credit

Zellic

CVE-2026-35351 Data

JSON