DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-35338: CVE-2026-35338: Path Validation Bypass in uutils/coreutils chmod --preserve-root Option

CVE-2026-35338: Path Validation Bypass in uutils/coreutils chmod --preserve-root Option

Vulnerability ID: CVE-2026-35338
CVSS Score: 7.3
Published: 2026-07-06

A path validation bypass vulnerability exists in the chmod utility of uutils/coreutils before version 0.6.0. The '--preserve-root' safety mechanism relies on a literal string comparison, allowing local users to bypass root directory protection via unnormalized paths (such as '/../' or symbolic links) and recursively alter system-wide permissions.

TL;DR

A vulnerability in uutils/coreutils chmod allows local bypass of '--preserve-root' safety checks using unnormalized paths like '/../', leading to recursive root permission destruction.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-22
  • Attack Vector: Local (AV:L)
  • CVSS v3.1 Score: 7.3
  • EPSS Score: 0.00175
  • EPSS Percentile: 7.13%
  • Impact: Local Denial of Service / Structural Permissions Failure
  • Exploit Status: Proof of Concept Available
  • CISA KEV Status: Not Listed

Affected Systems

  • uutils/coreutils (chmod recursive execution)
  • uutils/coreutils: < 0.6.0 (Fixed in: 0.6.0)

Code Analysis

Commit: 413055b

Fix chmod --preserve-root check with paths that resolve to root

@@ -407,7 +407,7 @@ impl Chmoder {
                 // should not change the permissions in this case
                 continue;
             }
-            if self.recursive && self.preserve_root && file == Path::new("/") {
+            if self.recursive && self.preserve_root && Self::is_root(file) {
                 return Err(ChmodError::PreserveRoot("/".into()).into());
             }
             if self.recursive {
@@ -419,6 +419,10 @@ impl Chmoder {
         r
     }

+    fn is_root(file: impl AsRef<Path>) -> bool {
+        matches!(fs::canonicalize(&file), Ok(p) if p == Path::new("/"))
+    }
+
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade uutils/coreutils to version 0.6.0 or higher.
  • Deploy shell auditing/monitoring rules to detect recursive execution parameters referencing parent paths.
  • Implement MAC policies (AppArmor, SELinux) to restrict recursive chmod permissions on system critical directories.

Remediation Steps:

  1. Identify environments utilizing uutils/coreutils (commonly used in Rust-based container base images or alternative coreutils installations).
  2. Check current installed version via chmod --version or system package manager.
  3. Update the package to at least 0.6.0. If installing via Cargo, execute cargo install uutils-coreutils --locked.
  4. Verify compliance by attempting a non-destructive verification: run chmod -R --preserve-root 755 /../ using an unprivileged user to confirm that the safe block triggers immediately.

References


Read the full report for CVE-2026-35338 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)