CVE-2026-35338
Published: 22 April 2026
Summary
CVE-2026-35338 is a high-severity Path Traversal (CWE-22) vulnerability in Uutils Coreutils. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Linux and Mac Permissions (T1222.002); ranked at the 1.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-35338 is a vulnerability in the chmod utility within uutils coreutils, a Rust implementation of GNU coreutils. The flaw allows bypassing the --preserve-root safety mechanism, which is intended to prevent recursive operations on the root filesystem. Specifically, the implementation checks only if the target path is literally "/" without canonicalizing it, enabling path variants like /../ or symbolic links to circumvent this protection (CWE-22).
Local attackers or even accidental users with low privileges can exploit this vulnerability. Exploitation requires low complexity and user interaction, such as running a crafted chmod command like "chmod -R 000 /../". Successful attacks enable destructive recursive operations on the entire root filesystem, resulting in system-wide permission loss, high impacts to confidentiality, integrity, and availability, and potential complete system breakdown.
Mitigation is available via the patch in GitHub pull request https://github.com/uutils/coreutils/pull/10033, which has been incorporated into uutils coreutils release 0.6.0 at https://github.com/uutils/coreutils/releases/tag/0.6.0. Security practitioners should update affected installations to version 0.6.0 or later to address the issue.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-24963
Vulnerability details
A vulnerability in the chmod utility of uutils coreutils allows users to bypass the --preserve-root safety mechanism. The implementation only validates if the target path is literally / and does not canonicalize the path. An attacker or accidental user can…
more
use path variants such as /../ or symbolic links to execute destructive recursive operations (e.g., chmod -R 000) on the entire root filesystem, leading to system-wide permission loss and potential complete system breakdown.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability directly bypasses the --preserve-root check in chmod via path traversal (e.g., /../), enabling recursive file/directory permission modifications on the root filesystem, which maps to T1222.002 (Linux and Mac Permissions) for creating denial of service or access control evasion.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely identification, patching, and deployment of the fix for the path canonicalization flaw in uutils coreutils chmod utility (release 0.6.0), directly preventing bypass of the --preserve-root mechanism.
Mandates information input validation including path canonicalization in utilities like chmod, directly countering the CWE-22 path traversal vulnerability using variants like /../ or symlinks.
Enforces least privilege to restrict root access necessary for executing destructive recursive chmod operations on the root filesystem, limiting exploitation opportunities.