Directory Permission Flaw in uutils Coreutils Affects User Privacy
CVE-2026-35353

3.3LOW

Key Information:

Vendor: Uutils
Status: Coreutils
Vendor: CVE Published:; 22 April 2026

What is CVE-2026-35353?

The mkdir utility in uutils coreutils has a flaw related to how it handles directory permissions when the -m flag is used. Instead of applying the specified permissions directly, it first creates the directory with default umask-derived permissions, typically set to 0755. This can inadvertently expose the directory to other users in multi-user environments, creating a temporary lapse in privacy and security. Users may find sensitive data accessible to unauthorized parties due to this vulnerability, highlighting the need for careful permission management in software design.

Affected Version(s)

coreutils Linux 0 < 0.6.0

References

https://github.com/uutils/coreutils/pull/10036

issue-trackingpatch

https://github.com/uutils/coreutils/releases/tag/0.6.0

vendor-advisory

CVSS V3.1

Score:

3.3

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 22, 2026
Vulnerability Reserved
Apr 2, 2026

Credit

Zellic

CVE-2026-35353 Data

JSON