|
1621
|
7.3 |
HIGH
Local
|
uutils
|
coreutils
|
A vulnerability in the chmod utility of uutils coreutils allows users to bypass the --preserve-root safety mechanism. The implementation only validates if the target path is literally / and does not …
|
CWE-22
Path Traversal
|
CVE-2026-35338
|
2026-04-27 21:28 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1622
|
3.3 |
LOW
Local
|
uutils
|
coreutils
|
The comm utility in uutils coreutils silently corrupts data by performing lossy UTF-8 conversion on all output lines. The implementation uses String::from_utf8_lossy(), which replaces invalid UTF-8 b…
|
CWE-176
Improper Handling of Unicode Encoding
|
CVE-2026-35346
|
2026-04-27 21:28 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1623
|
4.4 |
MEDIUM
Local
|
uutils
|
coreutils
|
The comm utility in uutils coreutils incorrectly consumes data from non-regular file inputs before performing comparison operations. The are_files_identical function opens and reads from both input p…
|
CWE-20
Improper Input Validation
|
CVE-2026-35347
|
2026-04-27 21:28 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1624
|
7.7 |
HIGH
Local
|
uutils
|
coreutils
|
A vulnerability in the rm utility of uutils coreutils allows a bypass of the --preserve-root protection. The implementation uses a path-string check rather than comparing device and inode numbers to …
|
CWE-59
Link Following
|
CVE-2026-35349
|
2026-04-27 21:28 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1625
|
4.2 |
MEDIUM
Local
|
uutils
|
coreutils
|
The mv utility in uutils coreutils fails to preserve file ownership during moves across different filesystem boundaries. The utility falls back to a copy-and-delete routine that creates the destinati…
|
CWE-281
Improper Preservation of Permissions
|
CVE-2026-35351
|
2026-04-27 21:28 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1626
|
3.3 |
LOW
Local
|
uutils
|
coreutils
|
The mkdir utility in uutils coreutils incorrectly applies permissions when using the -m flag by creating a directory with umask-derived permissions (typically 0755) before subsequently changing them …
|
CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition
|
CVE-2026-35353
|
2026-04-27 21:27 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1627
|
6.3 |
MEDIUM
Local
|
uutils
|
coreutils
|
The install utility in uutils coreutils is vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition during file installation. The implementation unlinks an existing destination file and t…
|
CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition
|
CVE-2026-35355
|
2026-04-27 21:27 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1628
|
6.3 |
MEDIUM
Local
|
uutils
|
coreutils
|
A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the install utility of uutils coreutils when using the -D flag. The command creates parent directories and subsequently performs a seco…
|
CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition
|
CVE-2026-35356
|
2026-04-27 21:27 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1629
|
4.4 |
MEDIUM
Local
|
uutils
|
coreutils
|
The mknod utility in uutils coreutils fails to handle security labels atomically by creating device nodes before setting the SELinux context. If labeling fails, the utility attempts cleanup using std…
|
CWE-281
CWE-459
Improper Preservation of Permissions
Incomplete Cleanup
|
CVE-2026-35361
|
2026-04-27 21:27 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1630
|
3.6 |
LOW
Local
|
uutils
|
coreutils
|
The safe_traversal module in uutils coreutils, which provides protection against Time-of-Check to Time-of-Use (TOCTOU) symlink races using file-descriptor-relative syscalls, is incorrectly limited to…
|
CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition
|
CVE-2026-35362
|
2026-04-27 21:26 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
