Can you explain this vulnerability to me?

The vulnerability exists in the recursive mode (-R) of the chmod utility in uutils coreutils. When processing multiple files, the utility incorrectly handles exit codes by only considering the success or failure of the last file processed. This means that even if errors occurred on earlier files, such as 'Operation not permitted', the command may still return an exit code of 0, indicating success.

As a result, scripts or automated processes that rely on these exit codes to verify successful permission changes may be misled into thinking all files were processed correctly, while some files may still have restrictive or incorrect permissions.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can lead to a false sense of security when changing file permissions recursively using chmod. Since errors on some files are not reflected in the exit code, scripts or users may believe that all files have had their permissions correctly modified.

This can result in sensitive files retaining restrictive or incorrect permissions, potentially causing unauthorized access issues or operational problems if permissions are not set as intended.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability in the recursive mode (-R) of the chmod utility in uutils coreutils causes incorrect exit code handling when processing multiple files. This means that scripts relying on these exit codes may falsely assume success even if some files failed to have their permissions correctly set.

Such incorrect handling can lead to sensitive files retaining restrictive or incorrect permissions, potentially exposing or improperly protecting data.

This behavior can undermine compliance with standards and regulations like GDPR and HIPAA, which require proper protection and handling of sensitive data. If file permissions are not correctly enforced due to this bug, organizations may inadvertently violate data protection requirements.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves the chmod utility in uutils coreutils incorrectly reporting exit codes when processing multiple files recursively. To detect this issue on your system, you can test the behavior of chmod with multiple files where some files are expected to fail permission changes.

For example, you can run a command like: chmod -R 700 file1 file2 file3 where file2 is a file you do not have permission to modify. If the exit code ($?) returns 0 despite the permission error on file2, your system is vulnerable.

You can check the exit code immediately after running chmod by executing: echo $?

If the exit code is 0 even though errors were shown during chmod execution, this indicates the vulnerability is present.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should update the uutils coreutils package to a version that includes the fix for CVE-2026-35339.

The fix was merged into the main branch of uutils/coreutils in late December 2025 and early January 2026, correcting the error handling logic so that chmod returns a failure exit code if any file operation fails.

If you are using Rust Coreutils, upgrading to version 0.6.0 or later is recommended, as this release includes the patch addressing this issue along with other bug fixes and improvements.

Until you can update, avoid relying solely on chmod's exit code for scripts that process multiple files recursively, and consider adding additional error checking or logging to detect permission errors.

Useful 0 Not Useful 0