CVE-2026-35345
Symlink Follow Vulnerability in uutils tail Enables Data Exfiltration
Publication date: 2026-04-22
Last updated on: 2026-05-04
Assigner: Canonical Ltd.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| uutils | coreutils | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-59 | The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. |
| CWE-367 | The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the tail utility of uutils coreutils when using the --follow=name option. Unlike the GNU tail implementation, uutils tail continues to monitor a file path even after it has been replaced by a symbolic link. This behavior allows a local attacker with write access to a monitored log directory to replace a log file with a symbolic link pointing to a sensitive system file, such as /etc/shadow. As a result, the tail utility discloses the contents of the sensitive file.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized disclosure of sensitive file contents. In environments where a privileged user monitors log files using uutils tail with the --follow=name option, a local attacker can exploit this flaw to read sensitive system files by replacing log files with symbolic links. This can result in exposure of critical information such as password hashes, potentially leading to privilege escalation or further system compromise.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the behavior of the uutils tail command with the --follow=name option when a file is replaced by a symbolic link.
A suggested test involves the following steps:
- Create a directory and a file named 'testfile' containing some text, e.g., "original".
- Run the command: tail --follow=name testfile (optionally with a timeout).
- Remove 'testfile' and replace it with a symbolic link to a sensitive file, such as /etc/passwd.
- Observe the output: if the tail command continues to output the contents of the symlink target file, the vulnerability is present.
This behavior differs from GNU tail, which refuses to follow the symlink and outputs a message indicating the file has been replaced with an untailable symbolic link.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, avoid using the uutils coreutils tail command with the --follow=name option in environments where untrusted users have write access to directories being monitored.
Specifically, do not allow local attackers with write permissions to replace monitored files with symbolic links, as this can lead to disclosure of sensitive file contents.
Consider using the GNU tail implementation instead, which detects and refuses to follow symbolic link replacements, preventing this type of information disclosure.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows a local attacker with write access to a monitored log directory to exfiltrate sensitive file contents by exploiting the tail utility's handling of symbolic links. Such unauthorized disclosure of sensitive information could lead to violations of data protection regulations and standards that require the confidentiality and integrity of sensitive data, such as GDPR and HIPAA.
Specifically, if sensitive files like /etc/shadow are disclosed, it could result in non-compliance with regulations that mandate protection of personal or sensitive information, potentially leading to legal and financial consequences.