5
CVE-2026-35372
- EPSS 0.14%
- Veröffentlicht 22.04.2026 16:08:58
- Zuletzt bearbeitet 04.05.2026 18:49:46
- Quelle security@ubuntu.com
- CVE-Watchlists
- Unerledigt
Loginuutils coreutils ln Security Bypass via Improper Handling of the --no-dereference Flag
A logic error in the ln utility of uutils coreutils allows the utility to dereference a symbolic link target even when the --no-dereference (or -n) flag is explicitly provided. The implementation previously only honored the "no-dereference" intent if the --force (overwrite) mode was also enabled. This flaw causes ln to follow a symbolic link that points to a directory and create new links inside that target directory instead of treating the symbolic link itself as the destination. In environments where a privileged user or system script uses ln -n to update a symlink, a local attacker could manipulate existing symbolic links to redirect file creation into sensitive directories, potentially leading to unauthorized file creation or system misconfiguration.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.14% | 0.035 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security@ubuntu.com | 5 | 1.3 | 3.6 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
|
CWE-61 UNIX Symbolic Link (Symlink) Following
The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.
https://github.com/uutils/coreutils/pull/11253
https://github.com/uutils/coreutils/releases/tag/0.8.0