CVE-2026-35351
Ownership Preservation Flaw in uutils mv Causes Privilege Issues
Publication date: 2026-04-22
Last updated on: 2026-04-27
Assigner: Canonical Ltd.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| uutils | coreutils | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-281 | The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by verifying if files moved across different filesystem boundaries using the uutils/coreutils mv command have their ownership preserved correctly. Specifically, after moving a file as root from one filesystem to another, check if the ownership of the moved file remains the same as the original or if it has been changed to root (UID 0, GID 0).
A practical detection method involves creating a test file owned by a non-root user, mounting a separate filesystem (e.g., tmpfs), and moving the file across the filesystem boundary using mv as root. Then, inspect the ownership of the moved file.
Example commands to detect the issue:
- Create a test file as a non-root user: sudo -u username touch /source/testfile
- Mount a separate filesystem (e.g., tmpfs): sudo mount -t tmpfs tmpfs /mnt/tmpfs
- Move the file across filesystem boundaries as root: sudo mv /source/testfile /mnt/tmpfs/
- Check the ownership of the moved file: ls -l /mnt/tmpfs/testfile
If the ownership shows root (UID 0, GID 0) instead of the original user, the vulnerability is present.
Can you explain this vulnerability to me?
The vulnerability exists in the mv utility of uutils coreutils, where it fails to preserve the original file ownership when moving files across different filesystem boundaries.
Instead of retaining the source file's UID and GID, the utility uses a copy-and-delete method that creates the destination file with the caller's UID and GID.
This means that files moved by a privileged user, such as root, may unexpectedly become owned by root rather than the original owner.
How can this vulnerability impact me? :
This vulnerability can break backups and migrations by altering file ownership unexpectedly.
Files moved by privileged users may become root-owned, which can lead to information disclosure if unauthorized users gain access or cause restricted access for the intended file owners.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability causes the mv utility to fail to preserve file ownership when moving files across different filesystem boundaries, resulting in files unexpectedly becoming root-owned. This can lead to information disclosure or restricted access for the intended owners.
Such unintended changes in file ownership and potential information disclosure could negatively impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls over data access and protection of sensitive information.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of the vulnerable uutils/coreutils mv command for moving files across filesystem boundaries, especially when running as root.
Instead, use alternative tools or commands that preserve file ownership metadata correctly, such as the GNU mv command, which explicitly restores ownership after copying.
Additionally, review and modify administrative scripts, backup processes, and migration workflows to ensure they do not rely on the vulnerable mv implementation for cross-device moves.
Monitor updates from the uutils/coreutils project for patches addressing this issue and apply them as soon as they become available.