Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-e2ux-y334-zbb5
Vulnerability ID VCID-e2ux-y334-zbb5
Aliases CVE-2026-35370
GHSA-q94g-3gcf-66x7
Summary The id utility in uutils coreutils miscalculates the groups= section of its output. The implementation uses a user's real GID instead of their effective GID to compute the group list, leading to potentially divergent output compared to GNU coreutils. Because many scripts and automated processes rely on the output of id to make security-critical access-control or permission decisions, this discrepancy can lead to unauthorized access or security misconfigurations.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-863 Incorrect Authorization
System Score Found at
epss 0.00015 https://api.first.org/data/v1/epss?cve=CVE-2026-35370
epss 0.00015 https://api.first.org/data/v1/epss?cve=CVE-2026-35370
epss 0.00015 https://api.first.org/data/v1/epss?cve=CVE-2026-35370
epss 0.00015 https://api.first.org/data/v1/epss?cve=CVE-2026-35370
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-q94g-3gcf-66x7
cvssv3.1 4.4 https://github.com/uutils/coreutils
generic_textual MODERATE https://github.com/uutils/coreutils
cvssv3.1 4.4 https://github.com/uutils/coreutils/issues/10006
generic_textual MODERATE https://github.com/uutils/coreutils/issues/10006
ssvc Track https://github.com/uutils/coreutils/issues/10006
cvssv3.1 4.4 https://nvd.nist.gov/vuln/detail/CVE-2026-35370
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2026-35370
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-35370
https://github.com/uutils/coreutils
https://nvd.nist.gov/vuln/detail/CVE-2026-35370
10006 https://github.com/uutils/coreutils/issues/10006
1136199 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136199
GHSA-q94g-3gcf-66x7 https://github.com/advisories/GHSA-q94g-3gcf-66x7
No exploits are available.
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/uutils/coreutils
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/uutils/coreutils/issues/10006
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T17:47:44Z/ Found at https://github.com/uutils/coreutils/issues/10006
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-35370
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.03528
EPSS Score 0.00015
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T16:44:57.689041+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2026/35xxx/CVE-2026-35370.json 38.6.0