CVE-2026-35338
Received Received - Intake
Path Traversal in uutils chmod Bypasses --preserve-root, Causes System-wide Permission Loss

Publication date: 2026-04-22

Last updated on: 2026-04-27

Assigner: Canonical Ltd.

Description
A vulnerability in the chmod utility of uutils coreutils allows users to bypass the --preserve-root safety mechanism. The implementation only validates if the target path is literally / and does not canonicalize the path. An attacker or accidental user can use path variants such as /../ or symbolic links to execute destructive recursive operations (e.g., chmod -R 000) on the entire root filesystem, leading to system-wide permission loss and potential complete system breakdown.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35338
EUVD
EUVD-2026-24963
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
uutils coreutils to 0.6.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the chmod utility of uutils coreutils, where the --preserve-root safety mechanism can be bypassed. The mechanism only checks if the target path is exactly '/', without properly resolving or canonicalizing the path.

Because of this, an attacker or an accidental user can use path variants like '/../' or symbolic links to trick the utility into performing recursive operations on the entire root filesystem.

For example, running a command like 'chmod -R 000' with such path tricks can lead to system-wide permission changes, causing loss of access and potentially complete system breakdown.

Impact Analysis

This vulnerability can lead to destructive recursive permission changes on the entire root filesystem.

As a result, it can cause system-wide permission loss, making files and directories inaccessible or unusable.

This may lead to a complete system breakdown, potentially requiring system recovery or reinstallation.

Compliance Impact

This vulnerability allows users to bypass the --preserve-root safety mechanism in the chmod utility, potentially leading to system-wide permission loss and complete system breakdown.

Such a compromise of system integrity and availability could impact compliance with standards and regulations like GDPR and HIPAA, which require organizations to ensure the confidentiality, integrity, and availability of sensitive data and systems.

If exploited, this vulnerability could lead to unauthorized changes in file permissions and system instability, increasing the risk of data breaches or loss, thereby potentially violating regulatory requirements for protecting personal or health information.

Detection Guidance

This vulnerability involves the chmod utility's --preserve-root flag being bypassed via path variants or symbolic links that resolve to the root directory. To detect if your system is vulnerable, you can check the version of the uutils coreutils package and verify if it includes the fix merged on January 7, 2026.

You can also attempt to test the behavior of chmod with the --preserve-root flag on paths that resolve to root but are not literally '/'. For example, try running commands like:

  • chmod -R --preserve-root 000 /../
  • chmod -R --preserve-root 000 /some/symlink/to/root

If these commands succeed in changing permissions recursively on the root filesystem, your system is vulnerable. If they fail with an error preventing operation on root, the fix is likely applied.

Mitigation Strategies

The immediate mitigation step is to update the uutils coreutils package to a version that includes the fix merged on January 7, 2026, which correctly prevents bypassing the --preserve-root flag by resolving paths to root.

Until the update is applied, avoid using the chmod utility with the --preserve-root flag on untrusted paths or symbolic links that could resolve to the root directory.

Additionally, review and restrict user permissions to prevent accidental or malicious execution of recursive chmod commands that could affect the root filesystem.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35338. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart