ByteOS Network

NVD Vulnerability Details :

CVE-2026-35338

Analyzed

Source-security@ubuntu.com

Published At-22 Apr, 2026 | 17:16

Updated At-27 Apr, 2026 | 12:28

A vulnerability in the chmod utility of uutils coreutils allows users to bypass the --preserve-root safety mechanism. The implementation only validates if the target path is literally / and does not canonicalize the path. An attacker or accidental user can use path variants such as /../ or symbolic links to execute destructive recursive operations (e.g., chmod -R 000) on the entire root filesystem, leading to system-wide permission loss and potential complete system breakdown.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	7.3	HIGH	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Type: Secondary

Version: 3.1

Base score: 7.3

Base severity: HIGH

Vector:

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CPE Matches

uutils>>coreutils>>Versions before 0.6.0(exclusive)

cpe:2.3:a:uutils:coreutils:*:*:*:*:*:rust:*:*

Weaknesses

CWE ID	Type	Source
CWE-22	Secondary	security@ubuntu.com

CWE ID: CWE-22

Type: Secondary

Source: security@ubuntu.com

References

Hyperlink	Source	Resource
https://github.com/uutils/coreutils/pull/10033	security@ubuntu.com	Issue Tracking Patch
https://github.com/uutils/coreutils/releases/tag/0.6.0	security@ubuntu.com	Release Notes

Hyperlink: https://github.com/uutils/coreutils/pull/10033

Source: security@ubuntu.com

Resource:

Issue Tracking

Patch

Hyperlink: https://github.com/uutils/coreutils/releases/tag/0.6.0

Source: security@ubuntu.com

Resource:

Release Notes

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History