CVE-2026-35368
Published: 22 April 2026
Summary
CVE-2026-35368 is a high-severity Untrusted Search Path (CWE-426) vulnerability in Uutils Coreutils. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the specific flaw in uutils coreutils chroot utility that allows NSS to load malicious libraries from writable NEWROOT before dropping root privileges.
Enforces access controls to prevent low-privilege attackers from writing malicious NSS modules to the chroot NEWROOT directory.
Verifies the integrity of shared libraries like libnss_*.so.2 loaded by NSS within the chroot, preventing or detecting execution of injected malicious code.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables arbitrary root code execution via malicious NSS library injection after chroot but before priv drop, directly facilitating local privilege escalation (T1068) and container escapes (T1611).
NVD Description
A vulnerability exists in the chroot utility of uutils coreutils when using the --userspec option. The utility resolves the user specification via getpwnam() after entering the chroot but before dropping root privileges. On glibc-based systems, this can trigger the Name…
more
Service Switch (NSS) to load shared libraries (e.g., libnss_*.so.2) from the new root directory. If the NEWROOT is writable by an attacker, they can inject a malicious NSS module to execute arbitrary code as root, facilitating a full container escape or privilege escalation.
Deeper analysisAI
CVE-2026-35368 affects the chroot utility in uutils coreutils when the --userspec option is used. The vulnerability arises because the utility resolves the user specification via getpwnam() after entering the chroot environment but before dropping root privileges. On glibc-based systems, this resolution triggers the Name Service Switch (NSS) to load shared libraries, such as libnss_*.so.2, from the new root directory.
A local attacker with low privileges (PR:L) who can write to the NEWROOT directory can exploit this by injecting a malicious NSS module. This leads to arbitrary code execution as root, enabling full container escapes or privilege escalations. The attack requires high complexity (AC:H) and local access (AV:L), with a CVSS v3.1 base score of 7.8 (AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H). It is classified under CWE-426 (Untrusted Search Path).
The vulnerability is tracked in the uutils/coreutils GitHub repository at https://github.com/uutils/coreutils/issues/10327.
Details
- CWE(s)