CVE-2026-35345
Received Received - Intake
Symlink Follow Vulnerability in uutils tail Enables Data Exfiltration

Publication date: 2026-04-22

Last updated on: 2026-05-04

Assigner: Canonical Ltd.

Description
A vulnerability in the tail utility of uutils coreutils allows for the exfiltration of sensitive file contents when using the --follow=name option. Unlike GNU tail, the uutils implementation continues to monitor a path after it has been replaced by a symbolic link, subsequently outputting the contents of the link's target. In environments where a privileged user (e.g., root) monitors a log directory, a local attacker with write access to that directory can replace a log file with a symlink to a sensitive system file (such as /etc/shadow), causing tail to disclose the contents of the sensitive file.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-05-04
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35345
EUVD
EUVD-2026-24977
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
uutils coreutils *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, avoid using the uutils coreutils tail command with the --follow=name option in environments where untrusted users have write access to directories being monitored.

Specifically, do not allow local attackers with write permissions to replace monitored files with symbolic links, as this can lead to disclosure of sensitive file contents.

Consider using the GNU tail implementation instead, which detects and refuses to follow symbolic link replacements, preventing this type of information disclosure.

Executive Summary

This vulnerability exists in the tail utility of uutils coreutils when using the --follow=name option. Unlike the GNU tail implementation, uutils tail continues to monitor a file path even after it has been replaced by a symbolic link. This behavior allows a local attacker with write access to a monitored log directory to replace a log file with a symbolic link pointing to a sensitive system file, such as /etc/shadow. As a result, the tail utility discloses the contents of the sensitive file.

Impact Analysis

The vulnerability can lead to unauthorized disclosure of sensitive file contents. In environments where a privileged user monitors log files using uutils tail with the --follow=name option, a local attacker can exploit this flaw to read sensitive system files by replacing log files with symbolic links. This can result in exposure of critical information such as password hashes, potentially leading to privilege escalation or further system compromise.

Compliance Impact

This vulnerability allows a local attacker with write access to a monitored log directory to exfiltrate sensitive file contents by exploiting the tail utility's handling of symbolic links. Such unauthorized disclosure of sensitive information could lead to violations of data protection regulations and standards that require the confidentiality and integrity of sensitive data, such as GDPR and HIPAA.

Specifically, if sensitive files like /etc/shadow are disclosed, it could result in non-compliance with regulations that mandate protection of personal or sensitive information, potentially leading to legal and financial consequences.

Detection Guidance

This vulnerability can be detected by testing the behavior of the uutils tail command with the --follow=name option when a file is replaced by a symbolic link.

A suggested test involves the following steps:

  • Create a directory and a file named 'testfile' containing some text, e.g., "original".
  • Run the command: tail --follow=name testfile (optionally with a timeout).
  • Remove 'testfile' and replace it with a symbolic link to a sensitive file, such as /etc/passwd.
  • Observe the output: if the tail command continues to output the contents of the symlink target file, the vulnerability is present.

This behavior differs from GNU tail, which refuses to follow the symlink and outputs a message indicating the file has been replaced with an untailable symbolic link.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35345. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart