GHSA-FQF6-GXHH-2XHW: Silent Data Loss and Behavioral Mismatch in uutils coreutils Backup Logic
Vulnerability ID: GHSA-FQF6-GXHH-2XHW
CVSS Score: 6.6
Published: 2026-07-07
A behavioral mismatch vulnerability (CWE-701) in the Rust-based uutils coreutils implementation of common command-line utilities allows silent data loss. When the --suffix argument is executed without explicit backup flags, the uucore library fails to enter backup mode, silently overwriting target files instead of creating preserving copies as expected under GNU standards.
TL;DR
The Rust-based uutils coreutils implementation fails to trigger backup mode when only the --suffix parameter is specified, causing utilities like cp, mv, and ln to silently delete and overwrite existing target files without producing the expected safety backup.
Technical Details
- CWE ID: CWE-701: Behavioral Mismatch / CWE-459: Incomplete Cleanup
- Attack Vector: Local (L)
- CVSS v3.1 Score: 6.6 (Medium)
- EPSS Score: Not Applicable (No registered CVE)
- Impact: High Integrity Destruction and File Resource Deletion
- Exploit Status: Proof of Concept (PoC) available and verified
- KEV Status: Not Listed
Affected Systems
- uutils coreutils (specifically the uucore shared library module)
-
uutils coreutils: <= 0.0.28 (Fixed in:
0.0.29 / PR 9741)
Code Analysis
Commit: 43015f6
Fix backup option handling: Suffix option is enough to determine mode even if --backup is not set
@@ -359,6 +359,14 @@ pub fn determine_backup_mode(matches: &ArgMatches) -> UResult<BackupMode> {
} else {
Ok(BackupMode::Existing)
}
+ } else if matches.contains_id(arguments::OPT_SUFFIX) {
+ // Suffix option is enough to determine mode even if --backup is not set.
+ // If VERSION_CONTROL is not set, the default backup type is 'existing'.
+ if let Ok(method) = env::var("VERSION_CONTROL") {
+ match_method(&method, "$VERSION_CONTROL")
+ } else {
+ Ok(BackupMode::Existing)
+ }
} else {
// No option was present at all
Ok(BackupMode::None)
Exploit Details
- GitHub Issue: Public issue demonstrating reproducible silent data loss steps for cp, mv, and ln commands.
Mitigation Strategies
- Explicitly include the -b or --backup flag alongside any --suffix argument in all automated scripts and command-line execution contexts.
- Audit automated backup pipelines and configuration deployment tools to ensure that file system structures are validated before and after transfer operations.
- Upgrade to uutils coreutils releases containing PR #9741 to ensure native support for implicit suffix-driven backup creation.
Remediation Steps:
- Identify systems running uutils coreutils as a replacement for GNU coreutils.
- Upgrade the uutils package suite to a version compiled after December 20, 2025.
- In legacy environments, locate all cron jobs and administration scripts using the --suffix option with cp, mv, ln, or install.
- Modify those script command calls to include the explicit '--backup' or '-b' option to force proper state preservation.
References
- GitHub Security Advisory GHSA-FQF6-GXHH-2XHW
- GitHub Issue: cp/install/mv/ln --suffix alone does not enable backup mode
- GitHub Pull Request: fix: Suffix option is enough to determine backup mode
Read the full report for GHSA-FQF6-GXHH-2XHW on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)