CVE-2026-35371: Logical Identity Spoofing in uutils coreutils id Utility
Vulnerability ID: CVE-2026-35371
CVSS Score: 3.3
Published: 2026-07-06
CVE-2026-35371 is a logical validation vulnerability (CWE-451) in the Rust-based GNU coreutils clone (uutils/coreutils). When formatting pretty-print statistics for a process where the real User ID (UID) and effective User ID (EUID) differ, the id utility mistakenly uses the effective Group ID (EGID) to retrieve the effective user name. This mismatch can mislead administrative scripts or system administrators who rely on the command's stdout to verify privilege states.
TL;DR
The Rust-based uutils 'id' utility incorrectly resolves the effective user's name using the effective Group ID (EGID) instead of the effective User ID (EUID) when real and effective IDs differ. This allows local users to spoof their reported username to downstream scripts by manipulating their group context.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-451
- Attack Vector: Local (AV:L)
- CVSS Base Score: 3.3
- EPSS Score: 0.00123
- EPSS Percentile: 2.42%
- Impact: Identity spoofing and downstream script logic bypass
- Exploit Status: Proof of concept
- KEV Status: Not listed
Affected Systems
- uutils coreutils
- Ubuntu Linux (with uutils coreutils installed)
-
uutils coreutils: All versions prior to the January 2026 fix commit (Fixed in:
Commit addressing issue 10006)
Exploit Details
- GitHub Issue #10006: Detailed reproduction steps and analysis of the logical variable mismatch within the id utility.
Mitigation Strategies
- Update uutils coreutils to the latest commit addressing issue 10006
- Configure critical system scripts to prioritize standard GNU coreutils instead of uutils clone
- Utilize shell environmental variables like $EUID for authorization verification instead of parsing id CLI stdout
Remediation Steps:
- Identify any active installations of the Rust-based uutils coreutils id utility.
- Apply the patch replacing 'uid2usr(egid)' with 'uid2usr(euid)' in the src/uu/id/src/id.rs file.
- Recompile uutils using Cargo.
- Audit downstream service scripts for patterns parsing the stdout of 'id' command directly.
References
- Official Issue Tracking Page
- CVE.org Authority Portal
- NVD Authority Record
- Wiz Vulnerability Database Advisory
Read the full report for CVE-2026-35371 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)