DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-35339: CVE-2026-35339: Incorrect Exit Status Propagation in Rust uutils/coreutils chmod Recursive Execution

CVE-2026-35339: Incorrect Exit Status Propagation in Rust uutils/coreutils chmod Recursive Execution

Vulnerability ID: CVE-2026-35339
CVSS Score: 5.5
Published: 2026-07-06

CVE-2026-35339 is a logic vulnerability in the Rust-written uutils/coreutils implementation of the chmod utility. When executing recursively (-R or --recursive) over multiple target paths, the utility fails to accumulate the overall exit status, overwriting error codes from early failures with the status of the final target. This results in false-success exit codes (0), potentially leading security automation and deployment scripts to assume permission modifications succeeded when they actually failed.

TL;DR

A 'last-file-wins' logic vulnerability in Rust-based chmod -R permits silent failures, returning exit code 0 even if previous targets failed. This bypasses automated permission checks in scripts and CI/CD pipelines.


Technical Details

  • CWE ID: CWE-253 (Incorrect Check of Function Return Value)
  • Attack Vector: Local (AV:L)
  • CVSS v3.1: 5.5 (Medium)
  • EPSS Score: 0.00142 (3.90th percentile)
  • Impact: Integrity Loss (Silent permission-application bypasses)
  • Exploit Status: No public weaponized exploits available
  • CISA KEV Status: Not listed

Affected Systems

  • uutils/coreutils
  • coreutils: < 0.6.0 (Fixed in: 0.6.0)

Code Analysis

Commit: abd581f

Fix exit status in chmod recursive mode with multiple arguments

@@ -411,7 +411,7 @@
-                r = self.walk_dir_with_context(file, true);
+                r = self.walk_dir_with_context(file, true).and(r);
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade uutils/coreutils to version 0.6.0 or later.
  • Deconstruct multi-argument recursive chmod operations in scripts into separate commands or chain them with explicit logical operators.
  • Implement defensive post-execution verification checks using test operators or find to validate that target permissions match expectations.

Remediation Steps:

  1. Identify systems or container images using Rust uutils/coreutils.
  2. Update coreutils package to version 0.6.0 or higher.
  3. For active CI/CD pipelines, audit bash scripts or Ansible playbooks that invoke chmod with multiple recursive directory targets.
  4. Modify multi-target invocations to single-target invocations linked with '&&' if immediate upgrades are not possible.

References


Read the full report for CVE-2026-35339 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)