CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-35339

CVE-2026-35339: Incorrect Exit Status Propagation in Rust uutils/coreutils chmod Recursive Execution

Alon Barad
Alon Barad
Software Engineer

Jul 6, 2026·7 min read·6 visits

Executive Summary (TL;DR)

A 'last-file-wins' logic vulnerability in Rust-based `chmod -R` permits silent failures, returning exit code 0 even if previous targets failed. This bypasses automated permission checks in scripts and CI/CD pipelines.

CVE-2026-35339 is a logic vulnerability in the Rust-written `uutils/coreutils` implementation of the `chmod` utility. When executing recursively (`-R` or `--recursive`) over multiple target paths, the utility fails to accumulate the overall exit status, overwriting error codes from early failures with the status of the final target. This results in false-success exit codes (0), potentially leading security automation and deployment scripts to assume permission modifications succeeded when they actually failed.

Vulnerability Overview

The chmod utility is a critical system administration tool utilized to modify file system access permissions. The Rust-based implementation of core system utilities, uutils/coreutils, features a modern, drop-in replacement for traditional GNU coreutils. It is frequently deployed in lightweight container environments, custom Linux distributions, and security-focused platforms. In these deployments, correct permission enforcement and accurate application exit statuses are critical for preserving privilege boundaries.

This vulnerability, designated as CVE-2026-35339, is categorized as CWE-253 (Incorrect Check of Function Return Value) and CWE-252 (Unchecked Return Value). The flaw specifically impacts the recursive mode (-R or --recursive) of the chmod utility. When executing over multiple top-level directories or file paths, the utility fails to properly maintain and propagate error states across all target iterations. If an early iteration fails due to a lack of privileges or missing paths, but the final iteration succeeds, the preceding error states are discarded, leading to a silent failure.

The resulting behavior causes the binary to return an exit status of 0 (Success) rather than a non-zero exit status (Failure). This failure to propagate the exit status creates operational vulnerabilities. Calling scripts, deployment orchestration tools, or host configuration engines that evaluate the command exit code to confirm system hardening will execute under the false assumption that all files were successfully secured.

Root Cause Analysis

The root cause of CVE-2026-35339 stems from a structural discrepancy in how loop iteration states are handled within the Chmoder::chmod() function in src/uu/chmod/src/chmod.rs. The utility tracks overall execution success or failure across multiple command-line arguments using a local state variable r. During non-recursive operations, r is updated sequentially by chaining the result of the current file's permission alteration with the accumulated status using Rust's Result::and logic.

However, in the recursive processing branch, the design diverges from this safe propagation pattern. The implementation directly assigns the outcome of the recursive walk to r during each iteration of the loop over command-line arguments. This direct assignment statement, r = self.walk_dir_with_context(file, true);, overrides the existing value of r without evaluating or chaining its previous state. The logic lacks an accumulation mechanism to preserve historical errors occurred in prior iterations.

Consequently, the execution model exhibits a 'last-file-wins' logical flaw. The flow diagram below illustrates this loop structure and details the execution sequence that leads to the state overwrite condition.

When a standard execution processes a list of paths, each path is evaluated sequentially. If the first path fails, r transitions to an error state. If the next path succeeds, the assignment r = ... overwrites the error state with a success state. The command-line utility ultimately terminates by evaluating the final value of r to determine its exit code, leading directly to the incorrect return value.

Code-Level Analysis and Security Patch

A comparison of the vulnerable codebase against the patched version highlights the simplicity of the error and the precision of the remedy. In the vulnerable implementation of the recursive directory traversal block, the state variable r is directly bound to the return value of walk_dir_with_context on each loop iteration.

// Vulnerable Code Path
if self.recursive {
    r = self.walk_dir_with_context(file, true); 
} else {
    r = self.chmod_file(file).and(r);
}

The corresponding patch, introduced in commit abd581f62e97d0b147306ac40eac13af71c6fbba, modifies this assignment to utilize Rust's standard combinator logic. By calling .and(r), the runtime checks the accumulated status before binding a new success state.

// Patched Code Path in src/uu/chmod/src/chmod.rs
if self.recursive {
    r = self.walk_dir_with_context(file, true).and(r);
} else {
    r = self.chmod_file(file).and(r);
}

The corrected assignment guarantees that if either the current directory traversal fails (returning an error) or any preceding traversal failed (preserving an error inside r), the state variable r remains in an error state. This ensures that the eventual exit status accurately reflects the existence of any errors encountered during the execution lifetime.

To ensure the robustness of the fix and prevent future regressions, the development team introduced a dedicated integration test. This test programmatically constructs three directories, restricts read permissions on the first directory to force a traversal failure, and subsequently executes chmod -R over all targets. The test asserts that the command terminates with a non-zero exit status and writes the appropriate 'Permission denied' message to standard error, confirming that the fix correctly addresses the 'last-file-wins' condition.

Exploitation and Attack Methodology

An adversary can exploit this vulnerability to bypass administrative security controls or evade detection during privilege escalation attempts. The attack vector relies on manipulating local files or directories to trigger silent failures in hardening scripts that use uutils/coreutils. This scenario requires no special privileges beyond standard shell or local directory modification permissions.

Consider an automated system administration script configured to run with elevated privileges (e.g., via root cron jobs or systemd services). The script secures a list of directories containing sensitive data and public temporary directories using a single recursive command:

# Hardening script execution
chmod -R 700 /opt/secure_records /var/tmp/public_scratch

If an unprivileged local user has created an immutable file or structured subdirectories inside /opt/secure_records that the execution context cannot modify, or if /opt/secure_records is configured to throw access errors, the recursive update fails for that directory. However, because /var/tmp/public_scratch is successfully modified, the chmod utility overwrites the initial error state.

Upon execution termination, the utility returns an exit status of 0. The calling script, written to abort or trigger alerts upon failure (e.g., set -e in bash), detects a successful run. The critical directory /opt/secure_records remains accessible with insecure, overly permissive settings, allowing unauthorized users to read or modify sensitive records without raising administrative alarms.

Impact and Risk Assessment

The impact of CVE-2026-35339 is assessed with a CVSS v3.1 score of 5.5, reflecting a medium-severity vulnerability. The impact vector is classified as High for Integrity (I:H) because the flaw directly undermines file system access control mechanisms. Inaccurate exit statuses prevent automated verification systems from verifying whether security policies have been correctly enforced.

While the vulnerability does not directly permit remote code execution or immediate privilege escalation, its role as an exploitation facilitator is significant. In modern infrastructure-as-code and continuous deployment pipelines, automated scripts are trusted to isolate system components and set access controls. If a tool silently fails to apply these controls, the entire platform remains exposed to subsequent compromise or unauthorized data access.

The low EPSS score (0.00142) indicates a low immediate probability of active exploitation in the wild. This is typical for logical error vulnerabilities that do not expose external network interfaces. However, for organizations utilizing Rust-based coreutils in production or embedded Linux configurations, the risk remains substantial because of the silent nature of the failure.

Remediation and Mitigation

The primary remediation path is upgrading the uutils/coreutils package to version 0.6.0 or higher, which integrates the official patch. For environments utilizing Rust coreutils via Rust's package manager, ensure that dependencies in Cargo.toml specify the patched release version.

# Secure Cargo Dependency
coreutils = "0.6.0"

In cases where immediate system-wide upgrades are not possible, administrators must implement operational workarounds to secure existing automated tasks. To mitigate the risk of silent permission application failure, administrative scripts should be refactored to execute recursive permissions modifications as individual commands rather than passing multiple targets to a single invocation:

# Insecure Multi-Target Command
chmod -R 700 /path1 /path2
 
# Secure Refactored Command Block
chmod -R 700 /path1 && chmod -R 700 /path2

Additionally, implementing explicit verification checks after modifying file system permissions is a highly effective defense-in-depth practice. System administrators can query file system states using stat or find to programmatically verify that all targets comply with the desired permission parameters, rather than relying solely on the exit code of the modification utility.

Fix Analysis (1)

Technical Appendix

CVSS Score
5.5/ 10
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
EPSS Probability
0.14%
Top 96% most exploited

Affected Systems

uutils/coreutils

Affected Versions Detail

Product
Affected Versions
Fixed Version
coreutils
uutils
< 0.6.00.6.0
AttributeDetail
CWE IDCWE-253 (Incorrect Check of Function Return Value)
Attack VectorLocal (AV:L)
CVSS v3.15.5 (Medium)
EPSS Score0.00142 (3.90th percentile)
ImpactIntegrity Loss (Silent permission-application bypasses)
Exploit StatusNo public weaponized exploits available
CISA KEV StatusNot listed

MITRE ATT&CK Mapping

T1222File and Directory Permissions Modification
Defense Evasion
CWE-253
Incorrect Check of Function Return Value

The software calls a function, but it does not check or incorrectly checks the return value of the function, which can lead to unexpected behavior when an error occurs.

References & Sources

  • [1]CVE-2026-35339 Record
  • [2]GitHub Pull Request 9793
  • [3]Security Fix Commit
  • [4]uutils coreutils 0.6.0 Release
  • [5]Wiz Vulnerability Database Entry

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 1 hour ago•CVE-2026-55792
6.0

CVE-2026-55792: Sensitive File Disclosure in Craft CMS via Twig Sandbox Bypass

CVE-2026-55792 represents a sensitive file disclosure vulnerability in Craft CMS. The issue arises from the inclusion of the `dataUrl()` function in the Twig sandbox allowlist combined with incomplete path validation inside the underlying helper method. Attackers with low-privileged control panel access can exploit this flaw to read and exfiltrate the `.env` configuration file.

Amit Schendel
Amit Schendel
3 views•6 min read
•about 1 hour ago•CVE-2026-35366
4.4

CVE-2026-35366: Security Inspection Bypass in uutils coreutils printenv via non-UTF-8 Environment Variables

A security inspection bypass vulnerability exists in the printenv utility of uutils coreutils (a Rust-based implementation of GNU coreutils) prior to version 0.6.0. Due to a semantic mismatch between POSIX environment variable specifications and Rust's strict UTF-8 validation rules, environment variables containing invalid UTF-8 byte sequences are silently omitted from printenv outputs. This allows local attackers to load and execute adversarial environment variables while remaining undetected by system administrators and automated security auditing tools.

Alon Barad
Alon Barad
4 views•6 min read
•about 2 hours ago•GHSA-X76W-8C62-48MG
4.3

GHSA-X76W-8C62-48MG: Missing Authorization in Craft CMS AssetsController Leads to Private Asset Disclosure

An improper authorization vulnerability in Craft CMS allows authenticated Control Panel users to bypass volume view permissions and access signed fallback transform preview links for private assets via the assets/preview-thumb action.

Alon Barad
Alon Barad
3 views•6 min read
•about 2 hours ago•CVE-2026-35371
3.3

CVE-2026-35371: Logical Identity Spoofing in uutils coreutils id Utility

CVE-2026-35371 is a logical validation vulnerability (CWE-451) in the Rust-based GNU coreutils clone (uutils/coreutils). When formatting pretty-print statistics for a process where the real User ID (UID) and effective User ID (EUID) differ, the id utility mistakenly uses the effective Group ID (EGID) to retrieve the effective user name. This mismatch can mislead administrative scripts or system administrators who rely on the command's stdout to verify privilege states.

Alon Barad
Alon Barad
5 views•9 min read
•about 4 hours ago•CVE-2026-35338
7.3

CVE-2026-35338: Path Validation Bypass in uutils/coreutils chmod --preserve-root Option

A path validation bypass vulnerability exists in the chmod utility of uutils/coreutils before version 0.6.0. The '--preserve-root' safety mechanism relies on a literal string comparison, allowing local users to bypass root directory protection via unnormalized paths (such as '/../' or symbolic links) and recursively alter system-wide permissions.

Alon Barad
Alon Barad
6 views•6 min read
•about 5 hours ago•GHSA-7JVP-HJ45-2F2M
7.7

GHSA-7jvp-hj45-2f2m: Scriban Template Writes to Arbitrary CLR Properties via TypedObjectAccessor

An improper access control and mass assignment vulnerability in Scriban allows templates to write to arbitrary, restricted CLR properties (including private, internal, and init-only properties) of context-bound objects, causing unexpected state mutations on the host application heap.

Alon Barad
Alon Barad
5 views•6 min read