Output File Permission Flaw in uutils Coreutils Affects Security
CVE-2026-35367

3.3LOW

Key Information:

Vendor: Uutils
Status: Coreutils
Vendor: CVE Published:; 22 April 2026

What is CVE-2026-35367?

The nohup utility within uutils coreutils creates its default output file, nohup.out, with inherited umask-based permissions, resulting in a file that is potentially world-readable (0644). In environments with multiple users, this poses a significant risk as it could grant any user access to sensitive information captured in the stdout/stderr output of executed commands. This behavior contrasts with the GNU coreutils implementation, which restricts access to owner-only (0600) permissions, thereby enhancing security and protecting against unauthorized data exposure.

References

https://github.com/uutils/coreutils/issues/10021

issue-tracking

CVSS V3.1

Score:

3.3

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 22, 2026
Vulnerability Reserved
Apr 2, 2026

Credit

Zellic

CVE-2026-35367 Data

JSON

Uutils

What is CVE-2026-35367?

References

CVSS V3.1

Timeline

Credit