CVE-2026-35339: Incorrect Exit Status Propagation in Rust uutils/coreutils chmod Recursive Execution
Vulnerability ID: CVE-2026-35339
CVSS Score: 5.5
Published: 2026-07-06
CVE-2026-35339 is a logic vulnerability in the Rust-written uutils/coreutils implementation of the chmod utility. When executing recursively (-R or --recursive) over multiple target paths, the utility fails to accumulate the overall exit status, overwriting error codes from early failures with the status of the final target. This results in false-success exit codes (0), potentially leading security automation and deployment scripts to assume permission modifications succeeded when they actually failed.
TL;DR
A 'last-file-wins' logic vulnerability in Rust-based chmod -R permits silent failures, returning exit code 0 even if previous targets failed. This bypasses automated permission checks in scripts and CI/CD pipelines.
Technical Details
- CWE ID: CWE-253 (Incorrect Check of Function Return Value)
- Attack Vector: Local (AV:L)
- CVSS v3.1: 5.5 (Medium)
- EPSS Score: 0.00142 (3.90th percentile)
- Impact: Integrity Loss (Silent permission-application bypasses)
- Exploit Status: No public weaponized exploits available
- CISA KEV Status: Not listed
Affected Systems
- uutils/coreutils
-
coreutils: < 0.6.0 (Fixed in:
0.6.0)
Code Analysis
Commit: abd581f
Fix exit status in chmod recursive mode with multiple arguments
@@ -411,7 +411,7 @@
- r = self.walk_dir_with_context(file, true);
+ r = self.walk_dir_with_context(file, true).and(r);
Mitigation Strategies
- Upgrade uutils/coreutils to version 0.6.0 or later.
- Deconstruct multi-argument recursive chmod operations in scripts into separate commands or chain them with explicit logical operators.
- Implement defensive post-execution verification checks using test operators or find to validate that target permissions match expectations.
Remediation Steps:
- Identify systems or container images using Rust uutils/coreutils.
- Update coreutils package to version 0.6.0 or higher.
- For active CI/CD pipelines, audit bash scripts or Ansible playbooks that invoke chmod with multiple recursive directory targets.
- Modify multi-target invocations to single-target invocations linked with '&&' if immediate upgrades are not possible.
References
- CVE-2026-35339 Record
- GitHub Pull Request 9793
- Security Fix Commit
- uutils coreutils 0.6.0 Release
- Wiz Vulnerability Database Entry
Read the full report for CVE-2026-35339 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)