CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-35371

CVE-2026-35371: Logical Identity Spoofing in uutils coreutils id Utility

Alon Barad
Alon Barad
Software Engineer

Jul 6, 2026·9 min read·5 visits

Executive Summary (TL;DR)

The Rust-based uutils 'id' utility incorrectly resolves the effective user's name using the effective Group ID (EGID) instead of the effective User ID (EUID) when real and effective IDs differ. This allows local users to spoof their reported username to downstream scripts by manipulating their group context.

CVE-2026-35371 is a logical validation vulnerability (CWE-451) in the Rust-based GNU coreutils clone (uutils/coreutils). When formatting pretty-print statistics for a process where the real User ID (UID) and effective User ID (EUID) differ, the id utility mistakenly uses the effective Group ID (EGID) to retrieve the effective user name. This mismatch can mislead administrative scripts or system administrators who rely on the command's stdout to verify privilege states.

Vulnerability Overview

The uutils/coreutils project is a cross-platform, Rust-based implementation of the traditional GNU coreutils software suite. This package serves as an alternative to the original GNU suite written in C, aiming to offer memory-safety guarantees inherent to the Rust programming language. One of the utilities provided by this package is the id binary. The id command is used across POSIX-compliant operating systems to print real and effective user and group information for a process. Under normal conditions, the utility translates numeric identification values into string representations by querying system database mappings.\n\nThis utility exposes an attack surface when operating in multi-user systems, privilege separation layers, or during local execution context changes. Specifically, the vulnerability categorized under CVE-2026-35371 manifests as a logical validation flaw (CWE-451). This flaw occurs during the execution of the pretty-print formatting flow of the id utility when there is a mismatch between the process's real User ID (UID) and its effective User ID (EUID). Such mismatches commonly occur when a binary utilizes the setuid permission bit or is executed through administrative tools such as setpriv or sudo configuration states.\n\nInstead of evaluating the effective user name using the effective User ID, the code base uses the effective Group ID (EGID) to execute the lookup. This leads to a scenario where the utility prints a spoofed or misleading username as the active EUID. The breakdown in state display does not directly compromise memory but creates a vector of identity misrepresentation, which directly affects downstream scripts and administrative parsing suites that rely on the formatted output of the id command.\n\nBecause the underlying numeric types for user IDs and group IDs map to the same primitive integer types in Rust wrappers, the compiler does not flag the parameter swap during compilation. This mismatch remains silent until the utility runs in an environment where the effective Group ID has been configured to match the numeric User ID of a different system account. This creates conditions where an unprivileged local user can display a false effective identity to administrative tools.

Root Cause Analysis

The fundamental issue driving CVE-2026-35371 lies within how Unix-like operating systems manage process credentials and how standard utilities perform reverse-lookups. On POSIX systems, a running process tracks several distinct identities, including the real User ID (RUID), real Group ID (RGID), effective User ID (EUID), and effective Group ID (EGID). The kernel uses the effective credentials (EUID and EGID) to evaluate authorization policies during system calls, file access operations, and socket interactions. The real IDs represent the user who originally instantiated the process, whereas the effective IDs represent the context under which active authorization occurs.\n\nWhen a tool like id executes, it performs a system database lookup to translate numeric identifiers (such as UID 1000 or GID 1000) to corresponding human-readable strings (such as 'alice' or 'staff'). These lookups typically wrap libc calls such as getpwuid (for user names) and getgrgid (for group names). Under the Rust Standard Library and external dependency libraries like the nix crate, these functions are exposed via standard wrapper APIs. The underlying types for both user IDs and group IDs are defined as libc::uid_t and libc::gid_t, which are aliases to the primitive unsigned 32-bit integer type u32.\n\nBecause of this common type representation, Rust's type-safety mechanisms do not differentiate between user identifiers and group identifiers at the API boundary unless explicitly wrapped in custom types. In the source file src/uu/id/src/id.rs, a variable-mismatch logic bug was introduced during development. The program correctly retrieves the effective Group ID (EGID) and the effective User ID (EUID), but when resolving the effective user name string, it mistakenly supplies the EGID variable as the input argument to the user lookup function uid2usr.\n\nIf the EGID matches a valid numeric UID of a different user on the host system, the name resolution query succeeds and retrieves the username corresponding to that UID. For example, if a process runs with an EUID of 3000 (user 'bob') and an EGID of 2000 (group 'developers'), and a separate user account 'alice' exists with UID 2000, the id utility queries the database for UID 2000 and incorrectly reports 'alice' as the effective user name. This mismatch bypasses logical expectations and misrepresents active process privileges.

Code Analysis

To understand the structure of the logic flaw, it is necessary to examine the vulnerable implementation in src/uu/id/src/id.rs. The code pattern below illustrates how variables were extracted and passed to the resolution functions prior to the fix:\n\nrust\n// Vulnerable logic inside uutils/coreutils id.rs\nfn print_pretty(uid: uid_t, gid: gid_t, euid: uid_t, egid: gid_t) {\n // Retrieve normal user and group representations\n let username = uid2usr(uid);\n let groupname = gid2grp(gid);\n\n // ERROR: Passing effective GID (egid) to the user lookup function (uid2usr)\n // Because both egid and euid are u32 primitives, the compiler does not flag this.\n let effective_user = uid2usr(egid as uid_t);\n\n println!(\"login\\t{}\", username);\n println!(\"uid\\t{}\", uid);\n println!(\"euid\\t{}\", effective_user);\n println!(\"groups\\t{}\", groupname);\n}\n\n\nThe fix commit replaces the incorrect variable parameter with the intended variable euid. This modification restores correct behavior by mapping the effective user name directly to the effective user identifier:\n\nrust\n// Patched logic inside uutils/coreutils id.rs\nfn print_pretty(uid: uid_t, gid: gid_t, euid: uid_t, egid: gid_t) {\n // Retrieve normal user and group representations\n let username = uid2usr(uid);\n let groupname = gid2grp(gid);\n\n // FIXED: Correctly pass the euid variable to resolve the effective user name\n let effective_user = uid2usr(euid);\n\n println!(\"login\\t{}\", username);\n println!(\"uid\\t{}\", uid);\n println!(\"euid\\t{}\", effective_user);\n println!(\"groups\\t{}\", groupname);\n}\n\n\nWhile the fix is structurally complete for this specific code path, the underlying programming pattern remains a source of potential issues. Simply using uid_t and gid_t aliases as u32 variables prevents the Rust compiler from catching similar parameter swaps elsewhere in the system codebase. To achieve robust security, developers should consider defining distinct newtypes such as struct UserId(u32) and struct GroupId(u32) to enforce separation of these domains at compile time.\n\nAdditionally, auditing adjoining utilities in the uutils/coreutils repository is necessary to ensure that copy-pasted implementations do not contain equivalent parameter mismatches. Utilities such as whoami and groups perform similar name-to-ID translations and require validation to guarantee that their logical checks correctly parse current execution contexts under complex privileges.

Exploitation

The exploitation of CVE-2026-35371 relies on manipulating local process execution contexts to fool downstream relying parties. To execute this technique, an attacker must have local access with command execution capabilities. The primary target is typically a shell script or local management agent running with high privileges that evaluates execution context using the id utility and performs actions on behalf of the reported username.\n\nTo perform the exploit, the attacker must identify a target user account whose UID matches an EGID that the attacker can assume. For instance, if an administrative account exists with UID 2000 (e.g., 'backup_agent') and the attacker can run a command with an EGID of 2000, they can trigger the vulnerability. The attacker can use tools like setpriv to manually set the effective User ID to their own unprivileged UID (e.g., 3000) while setting the effective Group ID to 2000:\n\nbash\nsudo setpriv --euid 3000 --egid 2000 --clear-groups /path/to/vulnerable/id -p\n\n\nWhen this command runs, the vulnerable id binary resolves the username for the effective group ID (2000) instead of the effective user ID (3000). The output falsely indicates that the effective user is 'backup_agent'.\n\nmermaid\ngraph LR\n A[\"Attacker Process (EUID=3000, EGID=2000)\"] --> B[\"Execute Vulnerable id Utility\"]\n B --> C[\"Lookup mapping: uid2usr(EGID=2000)\"]\n C --> D[\"Incorrectly Output euid as 'backup_agent'\"]\n D --> E[\"Downstream Script parses Output\"]\n E --> F[\"Bypass Access Control Policy\"]\n\n\nIf an automated administrative script parses the output of id (for example, executing id -p and searching for the string 'backup_agent' to authorize file modifications), the script will mistakenly evaluate the attacker's context as authorized. This results in an arbitrary bypass of the script's access control check, granting access to protected administrative operations without the attacker actually possessing the corresponding UID.

Impact Assessment

The severity of CVE-2026-35371 is rated as Low, with a CVSS v3.1 base score of 3.3. The attack vector is strictly Local (AV:L), and execution complexity is Low (AC:L). Because it requires local shell access, it cannot be directly triggered from a remote network location without an auxiliary entry vector such as an exposed SSH service or a web application command-injection vulnerability.\n\nWhile the direct impact is classified as Low because the utility itself does not contain memory corruption vulnerabilities or execute arbitrary code, the indirect impact can be significant. The vulnerability violates the integrity of administrative tool diagnostic data. In environments where security boundaries depend on text processing of standard utilities, this logical misrepresentation breaks the underlying threat model.\n\nIf automated system management scripts or local security daemons parse the stdout of id to decide whether to permit administrative operations, the identity spoofing leads directly to unauthorized privileges or access bypasses. System administrators rely on the correct behavior of core command-line utilities to diagnose configurations, meaning a spoofed display can mislead troubleshooting personnel into making unsafe policy changes.\n\nThe Exploit Prediction Scoring System (EPSS) rating for this vulnerability is extremely low (0.00123), indicating that it is not currently utilized by known threat groups in widespread malware or ransomware campaigns. It remains a localized risk relevant to systems running specific administrative workflows built on top of Rust-based coreutils rewrites.

Remediation

The primary remediation strategy is to update the uutils/coreutils package to the latest commit that addresses issue 10006. This update replaces the incorrect parameter egid with the correct parameter euid within the identity lookup code inside src/uu/id/src/id.rs to ensure proper user resolution under all process contexts.\n\nOn systems where an immediate package update is not feasible, administrators should configure their environment to use standard GNU coreutils instead of the Rust rewrite. This can be accomplished by verifying that the standard PATH environment variable prioritizes /usr/bin (containing the C-based GNU implementation) over any custom paths containing uutils binaries:\n\nbash\n# Verify which binary is in use\nwhich id\n# Ensure it does not point to a uutils installation\n\n\nFurthermore, developers of system automation scripts should adopt safe scripting practices. Scripts should avoid parsing the stdout of helper utilities for access control decisions. Instead, use built-in shell features or native system calls. In Bash scripts, checking the $EUID environment variable provides a safer mechanism for evaluating privilege context, as it queries the kernel directly rather than parsing textual tool output:\n\nbash\n# Safer check within system scripts\nif [ \"$EUID\" -ne 2000 ]; then\n echo \"Access Denied\"\n exit 1\nfi\n\n\nFinally, development teams working on system utility ports should implement architectural boundaries to prevent similar type-swapping errors. Enforcing strong typing for user and group identifiers via separate structures prevents parameter confusion at compile-time and eliminates this entire class of bugs.

Technical Appendix

CVSS Score
3.3/ 10
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
EPSS Probability
0.12%
Top 98% most exploited

Affected Systems

uutils coreutilsUbuntu Linux (with uutils coreutils installed)

Affected Versions Detail

Product
Affected Versions
Fixed Version
uutils coreutils
uutils
All versions prior to the January 2026 fix commitCommit addressing issue 10006
AttributeDetail
CWE IDCWE-451
Attack VectorLocal (AV:L)
CVSS Base Score3.3
EPSS Score0.00123
EPSS Percentile2.42%
ImpactIdentity spoofing and downstream script logic bypass
Exploit StatusProof of concept
KEV StatusNot listed

MITRE ATT&CK Mapping

T1078Valid Accounts
Defense Evasion
T1548Abuse Elevation Control Mechanism
Privilege Escalation
CWE-451
User Interface (UI) Misrepresentation of Critical Information

The software displays misleading, incomplete, or spoofed data in its user interface, leading down-stream verification processes to make incorrect decisions.

Known Exploits & Detection

GitHub Issue #10006Detailed reproduction steps and analysis of the logical variable mismatch within the id utility.

Vulnerability Timeline

Technical issue 10006 opened on uutils/coreutils repository
2026-01-03
Code audit corrective patch submitted for variable mismatch
2026-01-15
CVE-2026-35371 published to NVD catalog
2026-04-22
NVD record updated with revised mappings and CVSS score
2026-06-17

References & Sources

  • [1]Official Issue Tracking Page
  • [2]CVE.org Authority Portal
  • [3]NVD Authority Record
  • [4]Wiz Vulnerability Database Advisory

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 1 hour ago•CVE-2026-55792
6.0

CVE-2026-55792: Sensitive File Disclosure in Craft CMS via Twig Sandbox Bypass

CVE-2026-55792 represents a sensitive file disclosure vulnerability in Craft CMS. The issue arises from the inclusion of the `dataUrl()` function in the Twig sandbox allowlist combined with incomplete path validation inside the underlying helper method. Attackers with low-privileged control panel access can exploit this flaw to read and exfiltrate the `.env` configuration file.

Amit Schendel
Amit Schendel
3 views•6 min read
•about 1 hour ago•CVE-2026-35366
4.4

CVE-2026-35366: Security Inspection Bypass in uutils coreutils printenv via non-UTF-8 Environment Variables

A security inspection bypass vulnerability exists in the printenv utility of uutils coreutils (a Rust-based implementation of GNU coreutils) prior to version 0.6.0. Due to a semantic mismatch between POSIX environment variable specifications and Rust's strict UTF-8 validation rules, environment variables containing invalid UTF-8 byte sequences are silently omitted from printenv outputs. This allows local attackers to load and execute adversarial environment variables while remaining undetected by system administrators and automated security auditing tools.

Alon Barad
Alon Barad
4 views•6 min read
•about 2 hours ago•GHSA-X76W-8C62-48MG
4.3

GHSA-X76W-8C62-48MG: Missing Authorization in Craft CMS AssetsController Leads to Private Asset Disclosure

An improper authorization vulnerability in Craft CMS allows authenticated Control Panel users to bypass volume view permissions and access signed fallback transform preview links for private assets via the assets/preview-thumb action.

Alon Barad
Alon Barad
3 views•6 min read
•about 3 hours ago•CVE-2026-35339
5.5

CVE-2026-35339: Incorrect Exit Status Propagation in Rust uutils/coreutils chmod Recursive Execution

CVE-2026-35339 is a logic vulnerability in the Rust-written `uutils/coreutils` implementation of the `chmod` utility. When executing recursively (`-R` or `--recursive`) over multiple target paths, the utility fails to accumulate the overall exit status, overwriting error codes from early failures with the status of the final target. This results in false-success exit codes (0), potentially leading security automation and deployment scripts to assume permission modifications succeeded when they actually failed.

Alon Barad
Alon Barad
6 views•7 min read
•about 4 hours ago•CVE-2026-35338
7.3

CVE-2026-35338: Path Validation Bypass in uutils/coreutils chmod --preserve-root Option

A path validation bypass vulnerability exists in the chmod utility of uutils/coreutils before version 0.6.0. The '--preserve-root' safety mechanism relies on a literal string comparison, allowing local users to bypass root directory protection via unnormalized paths (such as '/../' or symbolic links) and recursively alter system-wide permissions.

Alon Barad
Alon Barad
6 views•6 min read
•about 5 hours ago•GHSA-7JVP-HJ45-2F2M
7.7

GHSA-7jvp-hj45-2f2m: Scriban Template Writes to Arbitrary CLR Properties via TypedObjectAccessor

An improper access control and mass assignment vulnerability in Scriban allows templates to write to arbitrary, restricted CLR properties (including private, internal, and init-only properties) of context-bound objects, causing unexpected state mutations on the host application heap.

Alon Barad
Alon Barad
5 views•6 min read