Search for packages
| purl | pkg:cargo/coreutils@0.8.0 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-4anr-s5ts-sybp
Aliases: CVE-2026-35341 GHSA-w8m4-4v35-v6x3 |
A vulnerability in uutils coreutils mkfifo allows for the unauthorized modification of permissions on existing files. When mkfifo fails to create a FIFO because a file already exists at the target path, it fails to terminate the operation for that path and continues to execute a follow-up set_permissions call. This results in the existing file's permissions being changed to the default mode (often 644 after umask), potentially exposing sensitive files such as SSH private keys to other users on the system. | There are no reported fixed by versions. |
|
VCID-8qf1-3wz7-a3c8
Aliases: CVE-2026-35374 GHSA-4wrp-79m8-9m9p |
A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the split utility of uutils coreutils. The program attempts to prevent data loss by checking for identity between input and output files using their file paths before initiating the split operation. However, the utility subsequently opens the output file with truncation after this path-based validation is complete. A local attacker with write access to the directory can exploit this race window by manipulating mutable path components (e.g., swapping a path with a symbolic link). This can cause split to truncate and write to an unintended target file, potentially including the input file itself or other sensitive files accessible to the process, leading to permanent data loss. | There are no reported fixed by versions. |
|
VCID-8wnr-wkj1-n3fw
Aliases: CVE-2026-35357 GHSA-2m8x-mvfx-gwgj |
The cp utility in uutils coreutils is vulnerable to an information disclosure race condition. Destination files are initially created with umask-derived permissions (e.g., 0644) before being restricted to their final mode (e.g., 0600) later in the process. A local attacker can race to open the file during this window; once obtained, the file descriptor remains valid and readable even after the permissions are tightened, exposing sensitive or private file contents. | There are no reported fixed by versions. |
|
VCID-8wt1-5kr6-3bh4
Aliases: CVE-2026-35360 GHSA-q6m9-xj2w-xmrc |
The touch utility in uutils coreutils is vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition during file creation. When the utility identifies a missing path, it later attempts creation using File::create(), which internally uses O_TRUNC. An attacker can exploit this window to create a file or swap a symlink at the target path, causing touch to truncate an existing file and leading to permanent data loss. | There are no reported fixed by versions. |
|
VCID-9wd6-ma2f-dfar
Aliases: CVE-2026-35367 GHSA-5hgf-628x-mcqf |
The nohup utility in uutils coreutils creates its default output file, nohup.out, without specifying explicit restricted permissions. This causes the file to inherit umask-based permissions, typically resulting in a world-readable file (0644). In multi-user environments, this allows any user on the system to read the captured stdout/stderr output of a command, potentially exposing sensitive information. This behavior diverges from GNU coreutils, which creates nohup.out with owner-only (0600) permissions. | There are no reported fixed by versions. |
|
VCID-bhu3-ckdm-aqe7
Aliases: CVE-2026-35373 GHSA-xh5h-p8c5-4w4x |
A logic error in the ln utility of uutils coreutils causes the program to reject source paths containing non-UTF-8 filename bytes when using target-directory forms (e.g., ln SOURCE... DIRECTORY). While GNU ln treats filenames as raw bytes and creates the links correctly, the uutils implementation enforces UTF-8 encoding, resulting in a failure to stat the file and a non-zero exit code. In environments where automated scripts or system tasks process valid but non-UTF-8 filenames common on Unix filesystems, this divergence causes the utility to fail, leading to a local denial of service for those specific operations. | There are no reported fixed by versions. |
|
VCID-cz18-jcfj-ruc9
Aliases: CVE-2026-35350 GHSA-x2wv-9p67-mh9w |
The cp utility in uutils coreutils fails to properly handle setuid and setgid bits when ownership preservation fails. When copying with the -p (preserve) flag, the utility applies the source mode bits even if the chown operation is unsuccessful. This can result in a user-owned copy retaining original privileged bits, creating unexpected privileged executables that violate local security policies. This differs from GNU cp, which clears these bits when ownership cannot be preserved. | There are no reported fixed by versions. |
|
VCID-czhg-366j-guef
Aliases: CVE-2026-35345 GHSA-xf75-659h-cgg5 |
A vulnerability in the tail utility of uutils coreutils allows for the exfiltration of sensitive file contents when using the --follow=name option. Unlike GNU tail, the uutils implementation continues to monitor a path after it has been replaced by a symbolic link, subsequently outputting the contents of the link's target. In environments where a privileged user (e.g., root) monitors a log directory, a local attacker with write access to that directory can replace a log file with a symlink to a sensitive system file (such as /etc/shadow), causing tail to disclose the contents of the sensitive file. | There are no reported fixed by versions. |
|
VCID-d75c-k9yz-bbag
Aliases: CVE-2026-35348 GHSA-f2jv-wjjc-2c94 |
The sort utility in uutils coreutils is vulnerable to a process panic when using the --files0-from option with inputs containing non-UTF-8 filenames. The implementation enforces UTF-8 encoding and utilizes expect(), causing an immediate crash when encountering valid but non-UTF-8 paths. This diverges from GNU sort, which treats filenames as raw bytes. A local attacker can exploit this to crash the utility and disrupt automated pipelines. | There are no reported fixed by versions. |
|
VCID-e2ux-y334-zbb5
Aliases: CVE-2026-35370 GHSA-q94g-3gcf-66x7 |
The id utility in uutils coreutils miscalculates the groups= section of its output. The implementation uses a user's real GID instead of their effective GID to compute the group list, leading to potentially divergent output compared to GNU coreutils. Because many scripts and automated processes rely on the output of id to make security-critical access-control or permission decisions, this discrepancy can lead to unauthorized access or security misconfigurations. | There are no reported fixed by versions. |
|
VCID-f86r-a3zm-3bcd
Aliases: CVE-2026-35354 GHSA-x4mc-mqm7-gg39 |
A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the mv utility of uutils coreutils during cross-device moves. The extended attribute (xattr) preservation logic uses multiple path-based system calls that perform fresh path-to-inode lookups for each operation. A local attacker with write access to the directory can exploit this race to swap files between calls, causing the destination file to receive an inconsistent mix of security xattrs, such as SELinux labels or file capabilities. | There are no reported fixed by versions. |
|
VCID-hfz2-m7sj-hkb6
Aliases: CVE-2026-35352 GHSA-9gh9-hwpr-rvqq |
A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mkfifo utility of uutils coreutils. The utility creates a FIFO and then performs a path-based chmod to set permissions. A local attacker with write access to the parent directory can swap the newly created FIFO for a symbolic link between these two operations. This redirects the chmod call to an arbitrary file, potentially enabling privilege escalation if the utility is run with elevated privileges. | There are no reported fixed by versions. |
|
VCID-j5f5-zvmq-rydw
Aliases: CVE-2026-35344 GHSA-wh8p-h9hw-x2mc |
The dd utility in uutils coreutils suppresses errors during file truncation operations by unconditionally calling Result::ok() on truncation attempts. While intended to mimic GNU behavior for special files like /dev/null, the uutils implementation also hides failures on regular files and directories caused by full disks or read-only file systems. This can lead to silent data corruption in backup or migration scripts, as the utility may report a successful operation even when the destination file contains old or garbage data. | There are no reported fixed by versions. |
|
VCID-jfqg-n8g4-y7e3
Aliases: CVE-2026-35359 GHSA-hpfw-mqm3-33jh |
A Time-of-Check to Time-of-Use (TOCTOU) vulnerability in the cp utility of uutils coreutils allows an attacker to bypass no-dereference intent. The utility checks if a source path is a symbolic link using path-based metadata but subsequently opens it without the O_NOFOLLOW flag. An attacker with concurrent write access can swap a regular file for a symbolic link during this window, causing a privileged cp process to copy the contents of arbitrary sensitive files into a destination controlled by the attacker. | There are no reported fixed by versions. |
|
VCID-jkhc-vvqy-uygx
Aliases: CVE-2026-35364 GHSA-m976-87wm-48fm |
A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mv utility of uutils coreutils during cross-device operations. The utility removes the destination path before recreating it through a copy operation. A local attacker with write access to the destination directory can exploit this window to replace the destination with a symbolic link. The subsequent privileged move operation will follow the symlink, allowing the attacker to redirect the write and overwrite an arbitrary target file with contents from the source. | There are no reported fixed by versions. |
|
VCID-ka1w-rgg3-c3hn
Aliases: CVE-2026-35351 GHSA-957r-r8gc-vv3h |
The mv utility in uutils coreutils fails to preserve file ownership during moves across different filesystem boundaries. The utility falls back to a copy-and-delete routine that creates the destination file using the caller's UID/GID rather than the source's metadata. This flaw breaks backups and migrations, causing files moved by a privileged user (e.g., root) to become root-owned unexpectedly, which can lead to information disclosure or restricted access for the intended owners. | There are no reported fixed by versions. |
|
VCID-q9pt-1vcd-37bg
Aliases: CVE-2026-35368 GHSA-mh5c-xrmh-m794 |
A vulnerability exists in the chroot utility of uutils coreutils when using the --userspec option. The utility resolves the user specification via getpwnam() after entering the chroot but before dropping root privileges. On glibc-based systems, this can trigger the Name Service Switch (NSS) to load shared libraries (e.g., libnss_*.so.2) from the new root directory. If the NEWROOT is writable by an attacker, they can inject a malicious NSS module to execute arbitrary code as root, facilitating a full container escape or privilege escalation. | There are no reported fixed by versions. |
|
VCID-s1us-54av-gfhb
Aliases: CVE-2026-35363 GHSA-vchc-9ggh-3236 |
A vulnerability in the rm utility of uutils coreutils allows the bypass of safeguard mechanisms intended to protect the current directory. While the utility correctly refuses to delete . or .., it fails to recognize equivalent paths with trailing slashes, such as ./ or .///. An accidental or malicious execution of rm -rf ./ results in the silent recursive deletion of all contents within the current directory. The command further obscures the data loss by reporting a misleading 'Invalid input' error, which may cause users to miss the critical window for data recovery. | There are no reported fixed by versions. |
|
VCID-t2ka-2ckz-83h2
Aliases: CVE-2026-35376 GHSA-6g8r-74qp-6859 |
A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the chcon utility of uutils coreutils during recursive operations. The implementation resolves recursive targets using a fresh path lookup (via fts_accpath) rather than binding the traversal and label application to the specific directory state encountered during traversal. Because these operations are not anchored to file descriptors, a local attacker with write access to a directory tree can exploit timing-sensitive rename or symbolic link races to redirect a privileged recursive relabeling operation to unintended files or directories. This vulnerability breaks the hardening expectations for SELinux administration workflows and can lead to the unauthorized modification of security labels on sensitive system objects. | There are no reported fixed by versions. |
|
VCID-xyy7-7fby-4kgn
Aliases: CVE-2026-35377 GHSA-5v4g-vw9x-h534 |
A logic error in the env utility of uutils coreutils causes a failure to correctly parse command-line arguments when utilizing the -S (split-string) option. In GNU env, backslashes within single quotes are treated literally (with the exceptions of \\ and \'). However, the uutils implementation incorrectly attempts to validate these sequences, resulting in an "invalid sequence" error and an immediate process termination with an exit status of 125 when encountering valid but unrecognized sequences like \a or \x. This divergence from GNU behavior breaks compatibility for automated scripts and administrative workflows that rely on standard split-string semantics, leading to a local denial of service for those operations. | There are no reported fixed by versions. |
|
VCID-zkbv-zv2u-pbck
Aliases: CVE-2026-35371 GHSA-53gr-wmf4-8hh3 |
The id utility in uutils coreutils exhibits incorrect behavior in its "pretty print" output when the real UID and effective UID differ. The implementation incorrectly uses the effective GID instead of the effective UID when performing a name lookup for the effective user. This results in misleading diagnostic output that can cause automated scripts or system administrators to make incorrect decisions regarding file permissions or access control. | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-g5yr-q2gm-tkhk | A logic error in the tr utility of uutils coreutils causes the program to incorrectly define the [:graph:] and [:print:] character classes. The implementation mistakenly includes the ASCII space character (0x20) in the [:graph:] class and excludes it from the [:print:] class, effectively reversing the standard behavior established by POSIX and GNU coreutils. This vulnerability leads to unintended data modification or loss when the utility is used in automated scripts or data-cleaning pipelines that rely on standard character class semantics. For example, a command executed to delete all graphical characters while intending to preserve whitespace will incorrectly delete all ASCII spaces, potentially resulting in data corruption or logic failures in downstream processing. |
CVE-2026-35379
GHSA-fhr3-xh3q-69w6 |
| VCID-gtvr-x9jh-w7gk | A logic error in the split utility of uutils coreutils causes the corruption of output filenames when provided with non-UTF-8 prefix or suffix inputs. The implementation utilizes to_string_lossy() when constructing chunk filenames, which automatically rewrites invalid byte sequences into the UTF-8 replacement character (U+FFFD). This behavior diverges from GNU split, which preserves raw pathname bytes intact. In environments utilizing non-UTF-8 encodings, this vulnerability leads to the creation of files with incorrect names, potentially causing filename collisions, broken automation, or the misdirection of output data. |
CVE-2026-35375
GHSA-vx9m-xjwf-8cqm |
| VCID-mfjq-bkgq-yycg | A logic error in the ln utility of uutils coreutils allows the utility to dereference a symbolic link target even when the --no-dereference (or -n) flag is explicitly provided. The implementation previously only honored the "no-dereference" intent if the --force (overwrite) mode was also enabled. This flaw causes ln to follow a symbolic link that points to a directory and create new links inside that target directory instead of treating the symbolic link itself as the destination. In environments where a privileged user or system script uses ln -n to update a symlink, a local attacker could manipulate existing symbolic links to redirect file creation into sensitive directories, potentially leading to unauthorized file creation or system misconfiguration. |
CVE-2026-35372
GHSA-wq63-vh5h-pr5p |
| VCID-rn89-dxgw-bue8 | A logic error in the cut utility of uutils coreutils causes the program to incorrectly interpret the literal two-byte string '' (two single quotes) as an empty delimiter. The implementation mistakenly maps this string to the NUL character for both the -d (delimiter) and --output-delimiter options. This vulnerability can lead to silent data corruption or logic errors in automated scripts and data pipelines that process strings containing these characters, as the utility may unintentionally split or join data on NUL bytes rather than the intended literal characters. |
CVE-2026-35380
GHSA-m2pg-c7m6-77pj |
| VCID-szfn-p4u1-k3bp | A logic error in the expr utility of uutils coreutils causes the program to evaluate parenthesized subexpressions during the parsing phase rather than at the execution phase. This implementation flaw prevents the utility from performing proper short-circuiting for logical OR (|) and AND (&) operations. As a result, arithmetic errors (such as division by zero) occurring within "dead" branches, branches that should be ignored due to short-circuiting, are raised as fatal errors. This divergence from GNU expr behavior can cause guarded expressions within shell scripts to fail with hard errors instead of returning expected boolean results, leading to premature script termination and breaking GNU-compatible shell control flow. |
CVE-2026-35378
GHSA-5pv5-xh52-hvrp |
| VCID-yaxf-65d5-7qck | A logic error in the cut utility of uutils coreutils causes the utility to ignore the -s (only-delimited) flag when using the -z (null-terminated) and -d '' (empty delimiter) options together. The implementation incorrectly routes this specific combination through a specialized newline-delimiter code path that fails to check the record suppression status. Consequently, uutils cut emits the entire record plus a NUL byte instead of suppressing it. This divergence from GNU coreutils behavior creates a data integrity risk for automated pipelines that rely on cut -s to filter out undelimited data. |
CVE-2026-35381
GHSA-532v-xp3f-837c |
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-13T06:29:32.011633+00:00 | GHSA Importer | Fixing | VCID-szfn-p4u1-k3bp | https://github.com/advisories/GHSA-5pv5-xh52-hvrp | 38.6.0 |
| 2026-06-13T06:29:31.984172+00:00 | GHSA Importer | Affected by | VCID-zkbv-zv2u-pbck | https://github.com/advisories/GHSA-53gr-wmf4-8hh3 | 38.6.0 |
| 2026-06-13T06:29:31.958530+00:00 | GHSA Importer | Affected by | VCID-e2ux-y334-zbb5 | https://github.com/advisories/GHSA-q94g-3gcf-66x7 | 38.6.0 |
| 2026-06-13T06:29:31.931785+00:00 | GHSA Importer | Affected by | VCID-xyy7-7fby-4kgn | https://github.com/advisories/GHSA-5v4g-vw9x-h534 | 38.6.0 |
| 2026-06-13T06:29:31.905226+00:00 | GHSA Importer | Affected by | VCID-bhu3-ckdm-aqe7 | https://github.com/advisories/GHSA-xh5h-p8c5-4w4x | 38.6.0 |
| 2026-06-13T06:29:31.879969+00:00 | GHSA Importer | Affected by | VCID-8qf1-3wz7-a3c8 | https://github.com/advisories/GHSA-4wrp-79m8-9m9p | 38.6.0 |
| 2026-06-13T06:29:31.854179+00:00 | GHSA Importer | Fixing | VCID-yaxf-65d5-7qck | https://github.com/advisories/GHSA-532v-xp3f-837c | 38.6.0 |
| 2026-06-13T06:29:31.823551+00:00 | GHSA Importer | Fixing | VCID-g5yr-q2gm-tkhk | https://github.com/advisories/GHSA-fhr3-xh3q-69w6 | 38.6.0 |
| 2026-06-13T06:29:31.796137+00:00 | GHSA Importer | Affected by | VCID-t2ka-2ckz-83h2 | https://github.com/advisories/GHSA-6g8r-74qp-6859 | 38.6.0 |
| 2026-06-13T06:29:31.770498+00:00 | GHSA Importer | Fixing | VCID-mfjq-bkgq-yycg | https://github.com/advisories/GHSA-wq63-vh5h-pr5p | 38.6.0 |
| 2026-06-13T06:29:31.742200+00:00 | GHSA Importer | Fixing | VCID-rn89-dxgw-bue8 | https://github.com/advisories/GHSA-m2pg-c7m6-77pj | 38.6.0 |
| 2026-06-13T06:29:31.713303+00:00 | GHSA Importer | Fixing | VCID-gtvr-x9jh-w7gk | https://github.com/advisories/GHSA-vx9m-xjwf-8cqm | 38.6.0 |
| 2026-06-13T06:29:31.684100+00:00 | GHSA Importer | Affected by | VCID-j5f5-zvmq-rydw | https://github.com/advisories/GHSA-wh8p-h9hw-x2mc | 38.6.0 |
| 2026-06-13T06:29:31.632337+00:00 | GHSA Importer | Affected by | VCID-8wt1-5kr6-3bh4 | https://github.com/advisories/GHSA-q6m9-xj2w-xmrc | 38.6.0 |
| 2026-06-13T06:29:31.491955+00:00 | GHSA Importer | Affected by | VCID-cz18-jcfj-ruc9 | https://github.com/advisories/GHSA-x2wv-9p67-mh9w | 38.6.0 |
| 2026-06-13T06:29:31.413631+00:00 | GHSA Importer | Affected by | VCID-jkhc-vvqy-uygx | https://github.com/advisories/GHSA-m976-87wm-48fm | 38.6.0 |
| 2026-06-13T06:29:31.357255+00:00 | GHSA Importer | Affected by | VCID-hfz2-m7sj-hkb6 | https://github.com/advisories/GHSA-9gh9-hwpr-rvqq | 38.6.0 |
| 2026-06-13T06:29:31.328218+00:00 | GHSA Importer | Affected by | VCID-9wd6-ma2f-dfar | https://github.com/advisories/GHSA-5hgf-628x-mcqf | 38.6.0 |
| 2026-06-13T06:29:31.295677+00:00 | GHSA Importer | Affected by | VCID-s1us-54av-gfhb | https://github.com/advisories/GHSA-vchc-9ggh-3236 | 38.6.0 |
| 2026-06-13T06:29:31.271352+00:00 | GHSA Importer | Affected by | VCID-jfqg-n8g4-y7e3 | https://github.com/advisories/GHSA-hpfw-mqm3-33jh | 38.6.0 |
| 2026-06-13T06:29:31.245193+00:00 | GHSA Importer | Affected by | VCID-q9pt-1vcd-37bg | https://github.com/advisories/GHSA-mh5c-xrmh-m794 | 38.6.0 |
| 2026-06-13T06:29:31.220780+00:00 | GHSA Importer | Affected by | VCID-8wnr-wkj1-n3fw | https://github.com/advisories/GHSA-2m8x-mvfx-gwgj | 38.6.0 |
| 2026-06-13T06:29:31.166959+00:00 | GHSA Importer | Affected by | VCID-ka1w-rgg3-c3hn | https://github.com/advisories/GHSA-957r-r8gc-vv3h | 38.6.0 |
| 2026-06-13T06:29:31.088103+00:00 | GHSA Importer | Affected by | VCID-d75c-k9yz-bbag | https://github.com/advisories/GHSA-f2jv-wjjc-2c94 | 38.6.0 |
| 2026-06-13T06:29:31.006316+00:00 | GHSA Importer | Affected by | VCID-f86r-a3zm-3bcd | https://github.com/advisories/GHSA-x4mc-mqm7-gg39 | 38.6.0 |
| 2026-06-13T06:29:30.843287+00:00 | GHSA Importer | Affected by | VCID-4anr-s5ts-sybp | https://github.com/advisories/GHSA-w8m4-4v35-v6x3 | 38.6.0 |
| 2026-06-13T06:29:30.777028+00:00 | GHSA Importer | Affected by | VCID-czhg-366j-guef | https://github.com/advisories/GHSA-xf75-659h-cgg5 | 38.6.0 |