Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-cz18-jcfj-ruc9
Vulnerability ID VCID-cz18-jcfj-ruc9
Aliases CVE-2026-35350
GHSA-x2wv-9p67-mh9w
Summary The cp utility in uutils coreutils fails to properly handle setuid and setgid bits when ownership preservation fails. When copying with the -p (preserve) flag, the utility applies the source mode bits even if the chown operation is unsuccessful. This can result in a user-owned copy retaining original privileged bits, creating unexpected privileged executables that violate local security policies. This differs from GNU cp, which clears these bits when ownership cannot be preserved.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-281 Improper Preservation of Permissions
System Score Found at
epss 0.00014 https://api.first.org/data/v1/epss?cve=CVE-2026-35350
epss 0.00014 https://api.first.org/data/v1/epss?cve=CVE-2026-35350
epss 0.00014 https://api.first.org/data/v1/epss?cve=CVE-2026-35350
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-x2wv-9p67-mh9w
cvssv3.1 6.6 https://github.com/uutils/coreutils
generic_textual MODERATE https://github.com/uutils/coreutils
cvssv3.1 6.6 https://github.com/uutils/coreutils/issues/9750
generic_textual MODERATE https://github.com/uutils/coreutils/issues/9750
ssvc Track https://github.com/uutils/coreutils/issues/9750
cvssv3.1 6.6 https://nvd.nist.gov/vuln/detail/CVE-2026-35350
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2026-35350
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-35350
https://github.com/uutils/coreutils
https://nvd.nist.gov/vuln/detail/CVE-2026-35350
1134876 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134876
9750 https://github.com/uutils/coreutils/issues/9750
GHSA-x2wv-9p67-mh9w https://github.com/advisories/GHSA-x2wv-9p67-mh9w
No exploits are available.
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L Found at https://github.com/uutils/coreutils
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L Found at https://github.com/uutils/coreutils/issues/9750
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T17:56:50Z/ Found at https://github.com/uutils/coreutils/issues/9750
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2026-35350
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.02577
EPSS Score 0.00014
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T16:44:59.161399+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2026/35xxx/CVE-2026-35350.json 38.6.0