CVE-2026-35338
Published: 22 April 2026
Summary
CVE-2026-35338 is a high-severity Path Traversal (CWE-22) vulnerability in Uutils Coreutils. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Linux and Mac Permissions (T1222.002); ranked at the 1.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, patching, and deployment of the fix for the path canonicalization flaw in uutils coreutils chmod utility (release 0.6.0), directly preventing bypass of the --preserve-root mechanism.
Mandates information input validation including path canonicalization in utilities like chmod, directly countering the CWE-22 path traversal vulnerability using variants like /../ or symlinks.
Enforces least privilege to restrict root access necessary for executing destructive recursive chmod operations on the root filesystem, limiting exploitation opportunities.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability directly bypasses the --preserve-root check in chmod via path traversal (e.g., /../), enabling recursive file/directory permission modifications on the root filesystem, which maps to T1222.002 (Linux and Mac Permissions) for creating denial of service or access control evasion.
NVD Description
A vulnerability in the chmod utility of uutils coreutils allows users to bypass the --preserve-root safety mechanism. The implementation only validates if the target path is literally / and does not canonicalize the path. An attacker or accidental user can…
more
use path variants such as /../ or symbolic links to execute destructive recursive operations (e.g., chmod -R 000) on the entire root filesystem, leading to system-wide permission loss and potential complete system breakdown.
Deeper analysisAI
CVE-2026-35338 is a vulnerability in the chmod utility within uutils coreutils, a Rust implementation of GNU coreutils. The flaw allows bypassing the --preserve-root safety mechanism, which is intended to prevent recursive operations on the root filesystem. Specifically, the implementation checks only if the target path is literally "/" without canonicalizing it, enabling path variants like /../ or symbolic links to circumvent this protection (CWE-22).
Local attackers or even accidental users with low privileges can exploit this vulnerability. Exploitation requires low complexity and user interaction, such as running a crafted chmod command like "chmod -R 000 /../". Successful attacks enable destructive recursive operations on the entire root filesystem, resulting in system-wide permission loss, high impacts to confidentiality, integrity, and availability, and potential complete system breakdown.
Mitigation is available via the patch in GitHub pull request https://github.com/uutils/coreutils/pull/10033, which has been incorporated into uutils coreutils release 0.6.0 at https://github.com/uutils/coreutils/releases/tag/0.6.0. Security practitioners should update affected installations to version 0.6.0 or later to address the issue.
Details
- CWE(s)