Search for packages
| purl | pkg:deb/debian/rust-coreutils@0.0.17-2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1xma-bq3c-u3h9
Aliases: CVE-2026-35369 GHSA-gpcg-h6x2-c26p |
An argument parsing error in the kill utility of uutils coreutils incorrectly interprets kill -1 as a request to send the default signal (SIGTERM) to PID -1. Sending a signal to PID -1 causes the kernel to terminate all processes visible to the caller, potentially leading to a system crash or massive process termination. This differs from GNU coreutils, which correctly recognizes -1 as a signal number in this context and would instead report a missing PID argument. |
Affected by 0 other vulnerabilities. |
|
VCID-3npq-hj69-cygg
Aliases: CVE-2026-35349 GHSA-v762-x3cf-5mfg |
A vulnerability in the rm utility of uutils coreutils allows a bypass of the --preserve-root protection. The implementation uses a path-string check rather than comparing device and inode numbers to identify the root directory. An attacker or accidental user can bypass this safeguard by using a symbolic link that resolves to the root directory (e.g., /tmp/rootlink -> /), potentially leading to the unintended recursive deletion of the entire root filesystem. |
Affected by 0 other vulnerabilities. |
|
VCID-45py-d4z2-33eh
Aliases: CVE-2026-35358 GHSA-67hp-f6hq-2h6g |
The cp utility in uutils coreutils, when performing recursive copies (-R), incorrectly treats character and block device nodes as stream sources rather than preserving them. Because the implementation reads bytes into regular files at the destination instead of using mknod, device semantics are destroyed (e.g., /dev/null becomes a regular file). This behavior can lead to runtime denial of service through disk exhaustion or process hangs when reading from unbounded device nodes. |
Affected by 0 other vulnerabilities. |
|
VCID-4asg-vgfk-n7av
Aliases: CVE-2026-35342 GHSA-2cxp-xq3c-mjxx |
The mktemp utility in uutils coreutils fails to properly handle an empty TMPDIR environment variable. Unlike GNU mktemp, which falls back to /tmp when TMPDIR is an empty string, the uutils implementation treats the empty string as a valid path. This causes temporary files to be created in the current working directory (CWD) instead of the intended secure temporary directory. If the CWD is more permissive or accessible to other users than /tmp, it may lead to unintended information disclosure or unauthorized access to temporary data. |
Affected by 0 other vulnerabilities. |
|
VCID-7agw-m43h-pkb1
Aliases: CVE-2026-35346 GHSA-hwhf-8p2f-45wr |
The comm utility in uutils coreutils silently corrupts data by performing lossy UTF-8 conversion on all output lines. The implementation uses String::from_utf8_lossy(), which replaces invalid UTF-8 byte sequences with the Unicode replacement character (U+FFFD). This behavior differs from GNU comm, which processes raw bytes and preserves the original input. This results in corrupted output when the utility is used to compare binary files or files using non-UTF-8 legacy encodings. |
Affected by 0 other vulnerabilities. |
|
VCID-868e-a9h5-vuc7
Aliases: CVE-2026-35353 GHSA-vf87-345h-9qhx |
The mkdir utility in uutils coreutils incorrectly applies permissions when using the -m flag by creating a directory with umask-derived permissions (typically 0755) before subsequently changing them to the requested mode via a separate chmod system call. In multi-user environments, this introduces a brief window where a directory intended to be private is accessible to other users, potentially leading to unauthorized data access. |
Affected by 0 other vulnerabilities. |
|
VCID-8wnr-wkj1-n3fw
Aliases: CVE-2026-35357 GHSA-2m8x-mvfx-gwgj |
The cp utility in uutils coreutils is vulnerable to an information disclosure race condition. Destination files are initially created with umask-derived permissions (e.g., 0644) before being restricted to their final mode (e.g., 0600) later in the process. A local attacker can race to open the file during this window; once obtained, the file descriptor remains valid and readable even after the permissions are tightened, exposing sensitive or private file contents. |
Affected by 0 other vulnerabilities. |
|
VCID-9wd6-ma2f-dfar
Aliases: CVE-2026-35367 GHSA-5hgf-628x-mcqf |
The nohup utility in uutils coreutils creates its default output file, nohup.out, without specifying explicit restricted permissions. This causes the file to inherit umask-based permissions, typically resulting in a world-readable file (0644). In multi-user environments, this allows any user on the system to read the captured stdout/stderr output of a command, potentially exposing sensitive information. This behavior diverges from GNU coreutils, which creates nohup.out with owner-only (0600) permissions. |
Affected by 0 other vulnerabilities. |
|
VCID-aghn-83cb-rbf2
Aliases: CVE-2026-35338 GHSA-9gqx-53gp-c8g3 |
A vulnerability in the chmod utility of uutils coreutils allows users to bypass the --preserve-root safety mechanism. The implementation only validates if the target path is literally / and does not canonicalize the path. An attacker or accidental user can use path variants such as /../ or symbolic links to execute destructive recursive operations (e.g., chmod -R 000) on the entire root filesystem, leading to system-wide permission loss and potential complete system breakdown. |
Affected by 0 other vulnerabilities. |
|
VCID-an5a-3u2z-bqck
Aliases: CVE-2026-35356 GHSA-m26v-hjq3-x245 |
A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the install utility of uutils coreutils when using the -D flag. The command creates parent directories and subsequently performs a second path resolution to create the target file, neither of which is anchored to a directory file descriptor. An attacker with concurrent write access can replace a path component with a symbolic link between these operations, redirecting the privileged write to an arbitrary file system location. |
Affected by 0 other vulnerabilities. |
|
VCID-cz18-jcfj-ruc9
Aliases: CVE-2026-35350 GHSA-x2wv-9p67-mh9w |
The cp utility in uutils coreutils fails to properly handle setuid and setgid bits when ownership preservation fails. When copying with the -p (preserve) flag, the utility applies the source mode bits even if the chown operation is unsuccessful. This can result in a user-owned copy retaining original privileged bits, creating unexpected privileged executables that violate local security policies. This differs from GNU cp, which clears these bits when ownership cannot be preserved. |
Affected by 0 other vulnerabilities. |
|
VCID-f86r-a3zm-3bcd
Aliases: CVE-2026-35354 GHSA-x4mc-mqm7-gg39 |
A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the mv utility of uutils coreutils during cross-device moves. The extended attribute (xattr) preservation logic uses multiple path-based system calls that perform fresh path-to-inode lookups for each operation. A local attacker with write access to the directory can exploit this race to swap files between calls, causing the destination file to receive an inconsistent mix of security xattrs, such as SELinux labels or file capabilities. |
Affected by 0 other vulnerabilities. |
|
VCID-fagp-1t6k-vffu
Aliases: CVE-2026-35340 GHSA-88ch-q68x-36v7 |
A flaw in the ChownExecutor used by uutils coreutils chown and chgrp causes the utilities to return an incorrect exit code during recursive operations. The final exit code is determined only by the last file processed. If the last operation succeeds, the command returns 0 even if earlier ownership or group changes failed due to permission errors. This can lead to security misconfigurations where administrative scripts incorrectly assume that ownership has been successfully transferred across a directory tree. |
Affected by 0 other vulnerabilities. |
|
VCID-fmgt-fwj4-wqdu
Aliases: CVE-2026-35339 GHSA-vp6q-mv9j-j428 |
The recursive mode (-R) of the chmod utility in uutils coreutils incorrectly handles exit codes when processing multiple files. The final return value is determined solely by the success or failure of the last file processed. This allows the command to return an exit code of 0 (success) even if errors were encountered on previous files, such as 'Operation not permitted'. Scripts relying on these exit codes may proceed under a false sense of success while sensitive files remain with restrictive or incorrect permissions. |
Affected by 0 other vulnerabilities. |
|
VCID-g5yr-q2gm-tkhk
Aliases: CVE-2026-35379 GHSA-fhr3-xh3q-69w6 |
A logic error in the tr utility of uutils coreutils causes the program to incorrectly define the [:graph:] and [:print:] character classes. The implementation mistakenly includes the ASCII space character (0x20) in the [:graph:] class and excludes it from the [:print:] class, effectively reversing the standard behavior established by POSIX and GNU coreutils. This vulnerability leads to unintended data modification or loss when the utility is used in automated scripts or data-cleaning pipelines that rely on standard character class semantics. For example, a command executed to delete all graphical characters while intending to preserve whitespace will incorrectly delete all ASCII spaces, potentially resulting in data corruption or logic failures in downstream processing. |
Affected by 0 other vulnerabilities. |
|
VCID-gtvr-x9jh-w7gk
Aliases: CVE-2026-35375 GHSA-vx9m-xjwf-8cqm |
A logic error in the split utility of uutils coreutils causes the corruption of output filenames when provided with non-UTF-8 prefix or suffix inputs. The implementation utilizes to_string_lossy() when constructing chunk filenames, which automatically rewrites invalid byte sequences into the UTF-8 replacement character (U+FFFD). This behavior diverges from GNU split, which preserves raw pathname bytes intact. In environments utilizing non-UTF-8 encodings, this vulnerability leads to the creation of files with incorrect names, potentially causing filename collisions, broken automation, or the misdirection of output data. |
Affected by 0 other vulnerabilities. |
|
VCID-jfqg-n8g4-y7e3
Aliases: CVE-2026-35359 GHSA-hpfw-mqm3-33jh |
A Time-of-Check to Time-of-Use (TOCTOU) vulnerability in the cp utility of uutils coreutils allows an attacker to bypass no-dereference intent. The utility checks if a source path is a symbolic link using path-based metadata but subsequently opens it without the O_NOFOLLOW flag. An attacker with concurrent write access can swap a regular file for a symbolic link during this window, causing a privileged cp process to copy the contents of arbitrary sensitive files into a destination controlled by the attacker. |
Affected by 0 other vulnerabilities. |
|
VCID-jkhc-vvqy-uygx
Aliases: CVE-2026-35364 GHSA-m976-87wm-48fm |
A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mv utility of uutils coreutils during cross-device operations. The utility removes the destination path before recreating it through a copy operation. A local attacker with write access to the destination directory can exploit this window to replace the destination with a symbolic link. The subsequent privileged move operation will follow the symlink, allowing the attacker to redirect the write and overwrite an arbitrary target file with contents from the source. |
Affected by 0 other vulnerabilities. |
|
VCID-jkma-75vp-xyck
Aliases: CVE-2026-35362 GHSA-ggc5-46rg-mr4v |
The safe_traversal module in uutils coreutils, which provides protection against Time-of-Check to Time-of-Use (TOCTOU) symlink races using file-descriptor-relative syscalls, is incorrectly limited to Linux targets. On other Unix-like systems such as macOS and FreeBSD, the utility fails to utilize these protections, leaving directory traversal operations vulnerable to symlink race conditions. |
Affected by 0 other vulnerabilities. |
|
VCID-ka1w-rgg3-c3hn
Aliases: CVE-2026-35351 GHSA-957r-r8gc-vv3h |
The mv utility in uutils coreutils fails to preserve file ownership during moves across different filesystem boundaries. The utility falls back to a copy-and-delete routine that creates the destination file using the caller's UID/GID rather than the source's metadata. This flaw breaks backups and migrations, causing files moved by a privileged user (e.g., root) to become root-owned unexpectedly, which can lead to information disclosure or restricted access for the intended owners. |
Affected by 0 other vulnerabilities. |
|
VCID-mfjq-bkgq-yycg
Aliases: CVE-2026-35372 GHSA-wq63-vh5h-pr5p |
A logic error in the ln utility of uutils coreutils allows the utility to dereference a symbolic link target even when the --no-dereference (or -n) flag is explicitly provided. The implementation previously only honored the "no-dereference" intent if the --force (overwrite) mode was also enabled. This flaw causes ln to follow a symbolic link that points to a directory and create new links inside that target directory instead of treating the symbolic link itself as the destination. In environments where a privileged user or system script uses ln -n to update a symlink, a local attacker could manipulate existing symbolic links to redirect file creation into sensitive directories, potentially leading to unauthorized file creation or system misconfiguration. |
Affected by 0 other vulnerabilities. |
|
VCID-q9pt-1vcd-37bg
Aliases: CVE-2026-35368 GHSA-mh5c-xrmh-m794 |
A vulnerability exists in the chroot utility of uutils coreutils when using the --userspec option. The utility resolves the user specification via getpwnam() after entering the chroot but before dropping root privileges. On glibc-based systems, this can trigger the Name Service Switch (NSS) to load shared libraries (e.g., libnss_*.so.2) from the new root directory. If the NEWROOT is writable by an attacker, they can inject a malicious NSS module to execute arbitrary code as root, facilitating a full container escape or privilege escalation. |
Affected by 0 other vulnerabilities. |
|
VCID-rkja-wb14-m3hw
Aliases: CVE-2026-35366 GHSA-7259-cwhx-3xx3 |
The printenv utility in uutils coreutils fails to display environment variables containing invalid UTF-8 byte sequences. While POSIX permits arbitrary bytes in environment strings, the uutils implementation silently skips these entries rather than printing the raw bytes. This vulnerability allows malicious environment variables (e.g., adversarial LD_PRELOAD values) to evade inspection by administrators or security auditing tools, potentially allowing library injection or other environment-based attacks to go undetected. |
Affected by 0 other vulnerabilities. |
|
VCID-rn89-dxgw-bue8
Aliases: CVE-2026-35380 GHSA-m2pg-c7m6-77pj |
A logic error in the cut utility of uutils coreutils causes the program to incorrectly interpret the literal two-byte string '' (two single quotes) as an empty delimiter. The implementation mistakenly maps this string to the NUL character for both the -d (delimiter) and --output-delimiter options. This vulnerability can lead to silent data corruption or logic errors in automated scripts and data pipelines that process strings containing these characters, as the utility may unintentionally split or join data on NUL bytes rather than the intended literal characters. |
Affected by 0 other vulnerabilities. |
|
VCID-rze6-x7s8-2fb1
Aliases: CVE-2026-35361 GHSA-79rc-qpw3-jv92 |
The mknod utility in uutils coreutils fails to handle security labels atomically by creating device nodes before setting the SELinux context. If labeling fails, the utility attempts cleanup using std::fs::remove_dir, which cannot remove device nodes or FIFOs. This leaves mislabeled nodes behind with incorrect default contexts, potentially allowing unauthorized access to device nodes that should have been restricted by mandatory access controls. |
Affected by 0 other vulnerabilities. |
|
VCID-s1us-54av-gfhb
Aliases: CVE-2026-35363 GHSA-vchc-9ggh-3236 |
A vulnerability in the rm utility of uutils coreutils allows the bypass of safeguard mechanisms intended to protect the current directory. While the utility correctly refuses to delete . or .., it fails to recognize equivalent paths with trailing slashes, such as ./ or .///. An accidental or malicious execution of rm -rf ./ results in the silent recursive deletion of all contents within the current directory. The command further obscures the data loss by reporting a misleading 'Invalid input' error, which may cause users to miss the critical window for data recovery. |
Affected by 0 other vulnerabilities. |
|
VCID-szfn-p4u1-k3bp
Aliases: CVE-2026-35378 GHSA-5pv5-xh52-hvrp |
A logic error in the expr utility of uutils coreutils causes the program to evaluate parenthesized subexpressions during the parsing phase rather than at the execution phase. This implementation flaw prevents the utility from performing proper short-circuiting for logical OR (|) and AND (&) operations. As a result, arithmetic errors (such as division by zero) occurring within "dead" branches, branches that should be ignored due to short-circuiting, are raised as fatal errors. This divergence from GNU expr behavior can cause guarded expressions within shell scripts to fail with hard errors instead of returning expected boolean results, leading to premature script termination and breaking GNU-compatible shell control flow. |
Affected by 0 other vulnerabilities. |
|
VCID-x173-jyfw-1ued
Aliases: CVE-2026-35347 GHSA-rx8h-33gr-vhj9 |
The comm utility in uutils coreutils incorrectly consumes data from non-regular file inputs before performing comparison operations. The are_files_identical function opens and reads from both input paths to compare content without first verifying if the paths refer to regular files. If an input path is a FIFO or a pipe, this pre-read operation drains the stream, leading to silent data loss before the actual comparison logic is executed. Additionally, the utility may hang indefinitely if it attempts to pre-read from infinite streams like /dev/zero. |
Affected by 0 other vulnerabilities. |
|
VCID-xp6n-t68q-93dv
Aliases: CVE-2026-35343 GHSA-hj9r-8pfm-rmjj |
The cut utility in uutils coreutils incorrectly handles the -s (only-delimited) option when a newline character is specified as the delimiter. The implementation fails to verify the only_delimited flag in the cut_fields_newline_char_delim function, causing the utility to print non-delimited lines that should have been suppressed. This can lead to unexpected data being passed to downstream scripts that rely on strict output filtering. |
Affected by 0 other vulnerabilities. |
|
VCID-xves-5auj-yqdg
Aliases: CVE-2026-35365 GHSA-66fx-fqv6-5wwx |
The mv utility in uutils coreutils improperly handles directory trees containing symbolic links during moves across filesystem boundaries. Instead of preserving symlinks, the implementation expands them, copying the linked targets as real files or directories at the destination. This can lead to resource exhaustion (disk space or time) if symlinks point to large external directories, unexpected duplication of sensitive data into unintended locations, or infinite recursion and repeated copying in the presence of symlink loops. |
Affected by 0 other vulnerabilities. |
|
VCID-yaxf-65d5-7qck
Aliases: CVE-2026-35381 GHSA-532v-xp3f-837c |
A logic error in the cut utility of uutils coreutils causes the utility to ignore the -s (only-delimited) flag when using the -z (null-terminated) and -d '' (empty delimiter) options together. The implementation incorrectly routes this specific combination through a specialized newline-delimiter code path that fails to check the record suppression status. Consequently, uutils cut emits the entire record plus a NUL byte instead of suppressing it. This divergence from GNU coreutils behavior creates a data integrity risk for automated pipelines that rely on cut -s to filter out undelimited data. |
Affected by 0 other vulnerabilities. |
|
VCID-ztuq-wank-67fe
Aliases: CVE-2026-35355 GHSA-v24v-f45g-w7jf |
The install utility in uutils coreutils is vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition during file installation. The implementation unlinks an existing destination file and then recreates it using a path-based operation without the O_EXCL flag. A local attacker can exploit the window between the unlink and the subsequent creation to swap the path with a symbolic link, allowing them to redirect privileged writes to overwrite arbitrary system files. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||