VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-45py-d4z2-33eh

Essentials
Severities (19)
References (8)
Severity details (16)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-45py-d4z2-33eh
Aliases	CVE-2026-35358 GHSA-67hp-f6hq-2h6g
Summary	The cp utility in uutils coreutils, when performing recursive copies (-R), incorrectly treats character and block device nodes as stream sources rather than preserving them. Because the implementation reads bytes into regular files at the destination instead of using mknod, device semantics are destroyed (e.g., /dev/null becomes a regular file). This behavior can lead to runtime denial of service through disk exhaustion or process hangs when reading from unbounded device nodes.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (1)

CWE-706

Use of Incorrectly-Resolved Name or Reference

System	Score	Found at
epss	0.00014	https://api.first.org/data/v1/epss?cve=CVE-2026-35358
epss	0.00014	https://api.first.org/data/v1/epss?cve=CVE-2026-35358
epss	0.00014	https://api.first.org/data/v1/epss?cve=CVE-2026-35358
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-67hp-f6hq-2h6g
cvssv3.1	4.4	https://github.com/uutils/coreutils
generic_textual	MODERATE	https://github.com/uutils/coreutils
cvssv3.1	4.4	https://github.com/uutils/coreutils/commit/e6a3bb596f149628ba973eec3d099f3bb69f2464
generic_textual	MODERATE	https://github.com/uutils/coreutils/commit/e6a3bb596f149628ba973eec3d099f3bb69f2464
cvssv3.1	4.4	https://github.com/uutils/coreutils/issues/9746
generic_textual	MODERATE	https://github.com/uutils/coreutils/issues/9746
ssvc	Track	https://github.com/uutils/coreutils/issues/9746
cvssv3.1	4.4	https://github.com/uutils/coreutils/pull/11163
generic_textual	MODERATE	https://github.com/uutils/coreutils/pull/11163
ssvc	Track	https://github.com/uutils/coreutils/pull/11163
cvssv3.1	4.4	https://github.com/uutils/coreutils/releases/tag/0.7.0
generic_textual	MODERATE	https://github.com/uutils/coreutils/releases/tag/0.7.0
ssvc	Track	https://github.com/uutils/coreutils/releases/tag/0.7.0
cvssv3.1	4.4	https://nvd.nist.gov/vuln/detail/CVE-2026-35358
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2026-35358

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2026-35358
		https://github.com/uutils/coreutils
		https://github.com/uutils/coreutils/commit/e6a3bb596f149628ba973eec3d099f3bb69f2464
		https://nvd.nist.gov/vuln/detail/CVE-2026-35358
0.7.0		https://github.com/uutils/coreutils/releases/tag/0.7.0
11163		https://github.com/uutils/coreutils/pull/11163
9746		https://github.com/uutils/coreutils/issues/9746
GHSA-67hp-f6hq-2h6g		https://github.com/advisories/GHSA-67hp-f6hq-2h6g

No exploits are available.

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L Found at https://github.com/uutils/coreutils

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L Found at https://github.com/uutils/coreutils/commit/e6a3bb596f149628ba973eec3d099f3bb69f2464

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L Found at https://github.com/uutils/coreutils/issues/9746

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T17:53:06Z/ Found at https://github.com/uutils/coreutils/issues/9746

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L Found at https://github.com/uutils/coreutils/pull/11163

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T17:53:06Z/ Found at https://github.com/uutils/coreutils/pull/11163

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L Found at https://github.com/uutils/coreutils/releases/tag/0.7.0

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T17:53:06Z/ Found at https://github.com/uutils/coreutils/releases/tag/0.7.0

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2026-35358

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.02735
EPSS Score	0.00014
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-11T16:44:57.067538+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2026/35xxx/CVE-2026-35358.json	38.6.0