CVE-2026-35350
Improper Privilege Handling in uutils cp Causes Security Bypass
Publication date: 2026-04-22
Last updated on: 2026-04-24
Assigner: Canonical Ltd.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| uutils | coreutils | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-281 | The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the cp utility of uutils coreutils. When copying files using the -p (preserve) flag, the utility attempts to preserve ownership and mode bits from the source file. However, if the ownership preservation (chown operation) fails, the utility still applies the source mode bits, including setuid and setgid bits, to the copied file.
This behavior can cause a copied file owned by a regular user to retain privileged bits, potentially creating executables with unexpected elevated privileges. This differs from the behavior of GNU cp, which clears these privileged bits if ownership cannot be preserved.
How can this vulnerability impact me? :
This vulnerability can lead to security risks by allowing users to create files that unexpectedly retain setuid or setgid bits, granting elevated privileges unintentionally.
- Users may end up with executables that run with higher privileges than intended.
- This can violate local security policies and potentially allow privilege escalation.
- Attackers could exploit this to gain unauthorized access or perform actions with elevated rights.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the cp utility in uutils coreutils improperly handling setuid and setgid bits when copying files with the -p flag. Detection would involve checking for files that have unexpected setuid or setgid bits that should not be present, especially on user-owned copies.
You can detect potentially affected files by searching for files with setuid or setgid bits set that are owned by non-privileged users. For example, use the following commands:
- find / -user <username> \( -perm -4000 -o -perm -2000 \) -ls
- find / -perm /6000 -exec ls -l {} +
These commands look for files with setuid (4000) or setgid (2000) bits set. Reviewing such files for unexpected privilege bits can help identify if the vulnerability has been exploited.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, avoid using the vulnerable cp utility from uutils coreutils with the -p flag until a patch is available.
As a workaround, use the GNU cp utility which correctly clears setuid and setgid bits when ownership preservation fails.
Additionally, audit and remove any unexpected setuid or setgid bits on user-owned files that may have been created due to this issue.
Monitor for updates or patches from the vendor and apply them as soon as they become available.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability can lead to the creation of unexpected privileged executables due to improper handling of setuid and setgid bits when ownership preservation fails. Such privileged executables may violate local security policies.
While the CVE description does not explicitly mention compliance with standards like GDPR or HIPAA, the presence of unexpected privileged executables could potentially lead to unauthorized access or privilege escalation, which may impact compliance with security requirements in these regulations.