CVE-2026-35338: Path Validation Bypass in uutils/coreutils chmod --preserve-root Option
Vulnerability ID: CVE-2026-35338
CVSS Score: 7.3
Published: 2026-07-06
A path validation bypass vulnerability exists in the chmod utility of uutils/coreutils before version 0.6.0. The '--preserve-root' safety mechanism relies on a literal string comparison, allowing local users to bypass root directory protection via unnormalized paths (such as '/../' or symbolic links) and recursively alter system-wide permissions.
TL;DR
A vulnerability in uutils/coreutils chmod allows local bypass of '--preserve-root' safety checks using unnormalized paths like '/../', leading to recursive root permission destruction.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-22
- Attack Vector: Local (AV:L)
- CVSS v3.1 Score: 7.3
- EPSS Score: 0.00175
- EPSS Percentile: 7.13%
- Impact: Local Denial of Service / Structural Permissions Failure
- Exploit Status: Proof of Concept Available
- CISA KEV Status: Not Listed
Affected Systems
- uutils/coreutils (chmod recursive execution)
-
uutils/coreutils: < 0.6.0 (Fixed in:
0.6.0)
Code Analysis
Commit: 413055b
Fix chmod --preserve-root check with paths that resolve to root
@@ -407,7 +407,7 @@ impl Chmoder {
// should not change the permissions in this case
continue;
}
- if self.recursive && self.preserve_root && file == Path::new("/") {
+ if self.recursive && self.preserve_root && Self::is_root(file) {
return Err(ChmodError::PreserveRoot("/".into()).into());
}
if self.recursive {
@@ -419,6 +419,10 @@ impl Chmoder {
r
}
+ fn is_root(file: impl AsRef<Path>) -> bool {
+ matches!(fs::canonicalize(&file), Ok(p) if p == Path::new("/"))
+ }
+
Mitigation Strategies
- Upgrade uutils/coreutils to version 0.6.0 or higher.
- Deploy shell auditing/monitoring rules to detect recursive execution parameters referencing parent paths.
- Implement MAC policies (AppArmor, SELinux) to restrict recursive chmod permissions on system critical directories.
Remediation Steps:
- Identify environments utilizing uutils/coreutils (commonly used in Rust-based container base images or alternative coreutils installations).
- Check current installed version via
chmod --versionor system package manager. - Update the package to at least 0.6.0. If installing via Cargo, execute
cargo install uutils-coreutils --locked. - Verify compliance by attempting a non-destructive verification: run
chmod -R --preserve-root 755 /../using an unprivileged user to confirm that the safe block triggers immediately.
References
- CVE org Entry
- uutils/coreutils Release Tag 0.6.0
- Security Fix Pull Request #10033
- Official Fix Commit
Read the full report for CVE-2026-35338 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)