CVE-2026-35338
Path Traversal in uutils chmod Bypasses --preserve-root, Causes System-wide Permission Loss
Publication date: 2026-04-22
Last updated on: 2026-04-27
Assigner: Canonical Ltd.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| uutils | coreutils | to 0.6.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the chmod utility of uutils coreutils, where the --preserve-root safety mechanism can be bypassed. The mechanism only checks if the target path is exactly '/', without properly resolving or canonicalizing the path.
Because of this, an attacker or an accidental user can use path variants like '/../' or symbolic links to trick the utility into performing recursive operations on the entire root filesystem.
For example, running a command like 'chmod -R 000' with such path tricks can lead to system-wide permission changes, causing loss of access and potentially complete system breakdown.
How can this vulnerability impact me? :
This vulnerability can lead to destructive recursive permission changes on the entire root filesystem.
As a result, it can cause system-wide permission loss, making files and directories inaccessible or unusable.
This may lead to a complete system breakdown, potentially requiring system recovery or reinstallation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows users to bypass the --preserve-root safety mechanism in the chmod utility, potentially leading to system-wide permission loss and complete system breakdown.
Such a compromise of system integrity and availability could impact compliance with standards and regulations like GDPR and HIPAA, which require organizations to ensure the confidentiality, integrity, and availability of sensitive data and systems.
If exploited, this vulnerability could lead to unauthorized changes in file permissions and system instability, increasing the risk of data breaches or loss, thereby potentially violating regulatory requirements for protecting personal or health information.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the chmod utility's --preserve-root flag being bypassed via path variants or symbolic links that resolve to the root directory. To detect if your system is vulnerable, you can check the version of the uutils coreutils package and verify if it includes the fix merged on January 7, 2026.
You can also attempt to test the behavior of chmod with the --preserve-root flag on paths that resolve to root but are not literally '/'. For example, try running commands like:
- chmod -R --preserve-root 000 /../
- chmod -R --preserve-root 000 /some/symlink/to/root
If these commands succeed in changing permissions recursively on the root filesystem, your system is vulnerable. If they fail with an error preventing operation on root, the fix is likely applied.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the uutils coreutils package to a version that includes the fix merged on January 7, 2026, which correctly prevents bypassing the --preserve-root flag by resolving paths to root.
Until the update is applied, avoid using the chmod utility with the --preserve-root flag on untrusted paths or symbolic links that could resolve to the root directory.
Additionally, review and restrict user permissions to prevent accidental or malicious execution of recursive chmod commands that could affect the root filesystem.