Executive Summary

This vulnerability is a flaw in the ChownExecutor component used by the uutils coreutils commands chown and chgrp. During recursive operations, these utilities return an incorrect exit code because the final exit code is based only on the last file processed. If the last operation succeeds, the command returns a success code (0) even if earlier ownership or group changes failed due to permission errors.

As a result, administrative scripts that rely on the exit code to verify successful ownership changes may be misled into thinking all changes were successful when some actually failed.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to security misconfigurations because scripts or automated processes may incorrectly assume that ownership or group changes were applied successfully across a directory tree.

If ownership changes fail silently but the command returns a success code, unauthorized users might retain access to files they should no longer have permissions for, potentially leading to privilege escalation or unauthorized data access.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability can lead to security misconfigurations because administrative scripts may incorrectly assume that ownership changes have been successfully applied across a directory tree when in fact some changes failed. Such misconfigurations could potentially result in unauthorized access or improper data handling.

While the CVE description does not explicitly mention compliance with standards like GDPR or HIPAA, inaccurate ownership settings and security misconfigurations could indirectly impact compliance by failing to enforce proper access controls and data protection measures required by these regulations.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing the behavior of the `chown` or `chgrp` commands when run recursively on multiple files or directories where some ownership or group changes are expected to fail due to permission errors.

Specifically, you can run a recursive `chown` or `chgrp` command on a directory tree containing files or directories with restricted permissions and observe the exit code returned by the command.

If the command returns an exit code of 0 despite some ownership changes failing, this indicates the presence of the vulnerability.

Example commands to test this behavior might include:

• Run `chown -R someuser:somegroup /path/to/testdir` where some files are not writable or accessible.
• Check the exit code immediately after the command with `echo $?`.

If the exit code is 0 even though some files failed to change ownership, the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should update the affected `uutils coreutils` package to a version that includes the fix merged on January 9, 2026.

The fix corrects the exit code handling in the `chown` and `chgrp` utilities to ensure that any failure during recursive ownership or group changes is properly reported.

Until the update is applied, avoid relying solely on the exit code of recursive `chown` or `chgrp` commands for security-critical scripts or processes.

Instead, consider manually verifying ownership changes or implementing additional checks in scripts to detect permission errors.

Useful 0 Not Useful 0