CVE-2026-35358

Exploit

EPSS 0.18%
Veröffentlicht 22.04.2026 16:08:22
Zuletzt bearbeitet 04.05.2026 19:03:00
Quelle security@ubuntu.com
CVE-Watchlists
Login
Unerledigt
Login

uutils coreutils cp Semantic Loss and Potential Denial of Service with -R via Device Node Stream Reading

The cp utility in uutils coreutils, when performing recursive copies (-R), incorrectly treats character and block device nodes as stream sources rather than preserving them. Because the implementation reads bytes into regular files at the destination instead of using mknod, device semantics are destroyed (e.g., /dev/null becomes a regular file). This behavior can lead to runtime denial of service through disk exhaustion or process hangs when reading from unbounded device nodes.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Uutils ≫ Coreutils SwPlatformrust Version < 0.7.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.18%	0.074

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.5	1.8	3.6	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
security@ubuntu.com	4.4	1.8	2.5	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

CWE-706 Use of Incorrectly-Resolved Name or Reference

The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.

https://github.com/uutils/coreutils/releases/tag/0.7.0

Release Notes

https://github.com/uutils/coreutils/pull/11163

Patch

Issue Tracking

https://github.com/uutils/coreutils/issues/9746

Exploit

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2026-35358

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-35358

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-35358

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-35358