Denial of Service Vulnerability in uutils Coreutils Affecting Recursive Copy Operations
CVE-2026-35358

4.4MEDIUM

Key Information:

Vendor: Uutils
Status: Coreutils
Vendor: CVE Published:; 22 April 2026

What is CVE-2026-35358?

The cp utility in uutils coreutils, when executing recursive copies, mishandles character and block device nodes by treating them as standard stream sources. This mismanagement results in the loss of device semantics, causing critical issues such as transforming /dev/null into a regular file. The consequence of this flawed implementation includes potential runtime denial of service, where systems may experience disk exhaustion or unresponsive processes when attempting to read from unbounded device nodes.

Affected Version(s)

coreutils Linux 0 < 0.7.0

References

https://github.com/uutils/coreutils/pull/11163

patch

https://github.com/uutils/coreutils/issues/9746

issue-tracking

https://github.com/uutils/coreutils/releases/tag/0.7.0

vendor-advisory

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 22, 2026
Vulnerability Reserved
Apr 2, 2026

Credit

Zellic

CVE-2026-35358 Data

JSON

Uutils

What is CVE-2026-35358?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit