CVE-2026-35351

Exploit

EPSS 0.13%
Veröffentlicht 22.04.2026 16:08:04
Zuletzt bearbeitet 27.04.2026 12:28:10
Quelle security@ubuntu.com
CVE-Watchlists
Login
Unerledigt
Login

uutils coreutils mv Silent Ownership Loss in Cross-Device Operations

The mv utility in uutils coreutils fails to preserve file ownership during moves across different filesystem boundaries. The utility falls back to a copy-and-delete routine that creates the destination file using the caller's UID/GID rather than the source's metadata. This flaw breaks backups and migrations, causing files moved by a privileged user (e.g., root) to become root-owned unexpectedly, which can lead to information disclosure or restricted access for the intended owners.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Uutils ≫ Coreutils Version- SwPlatformrust

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.13%	0.031

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@ubuntu.com	4.2	0.8	3.4	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

CWE-281 Improper Preservation of Permissions

The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.

https://github.com/uutils/coreutils/issues/9714

Vendor Advisory

Exploit

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2026-35351

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-35351

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-35351

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-35351