CVE-2026-35358
Improper Device Node Handling in uutils cp Causes DoS
Publication date: 2026-04-22
Last updated on: 2026-05-04
Assigner: Canonical Ltd.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| uutils | coreutils | to 0.7.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-706 | The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided context and resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
This vulnerability exists in the cp utility of uutils coreutils when performing recursive copies using the -R option. Instead of preserving character and block device nodes as special device files, the utility treats them as regular stream sources and copies their byte content into regular files at the destination. This means that device semantics are lost—for example, a device like /dev/null becomes a normal file rather than a device node.
How can this vulnerability impact me? :
The incorrect handling of device nodes can lead to runtime denial of service conditions. Specifically, because device nodes are copied as regular files containing potentially unbounded data, this can cause disk exhaustion or cause processes to hang when attempting to read from these improperly copied files.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the behavior of the `cp` command in uutils coreutils when performing recursive copies of device nodes. Specifically, you can create a character device node and then recursively copy it to see if the device node is preserved or converted into a regular file.
- Create a temporary source directory.
- Create a character device node inside it, for example: `mknod /path/to/source/null c 1 3`.
- Use `cp -R /path/to/source /path/to/destination` to recursively copy the directory.
- Check the copied file at `/path/to/destination/null` to see if it is a character device node or a regular file.
If the copied `/null` is a regular file instead of a character device node, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the uutils coreutils package to a version that includes the fix for CVE-2026-35358. The fix ensures that the `cp` command correctly handles device nodes by recreating them instead of copying their data streams.
The fix was merged into the main branch on March 4, 2026, and is included in uutils-coreutils version 0.7.0 and later.
Until the update is applied, avoid using the vulnerable `cp` command for recursive copies involving device nodes, or use alternative tools that correctly preserve device nodes.