CVE-2026-35365
Received Received - Intake
Symlink Expansion Flaw in uutils mv Causes Data Duplication

Publication date: 2026-04-22

Last updated on: 2026-05-04

Assigner: Canonical Ltd.

Description
The mv utility in uutils coreutils improperly handles directory trees containing symbolic links during moves across filesystem boundaries. Instead of preserving symlinks, the implementation expands them, copying the linked targets as real files or directories at the destination. This can lead to resource exhaustion (disk space or time) if symlinks point to large external directories, unexpected duplication of sensitive data into unintended locations, or infinite recursion and repeated copying in the presence of symlink loops.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-05-04
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-14
NVD
CVE-2026-35365
EUVD
EUVD-2026-25012
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
uutils coreutils to 0.7.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the mv utility of uutils coreutils, where it improperly handles directory trees containing symbolic links when moving files across filesystem boundaries.

Instead of preserving symbolic links during the move, the utility expands them by copying the actual linked targets as real files or directories at the destination.

This behavior can cause problems such as resource exhaustion if the symlinks point to large external directories, unexpected duplication of sensitive data into unintended locations, or infinite recursion and repeated copying if there are symlink loops.

Impact Analysis

This vulnerability can impact you by causing resource exhaustion, such as running out of disk space or excessive processing time, due to the expansion of symbolic links pointing to large directories.

It can also lead to unexpected duplication of sensitive data into locations where it was not intended to be copied, potentially exposing confidential information.

Additionally, if there are symlink loops, the utility may enter infinite recursion, repeatedly copying files and further exacerbating resource consumption.

Compliance Impact

The vulnerability in the mv utility can lead to unexpected duplication of sensitive data into unintended locations due to improper handling of symbolic links. This behavior could potentially result in unauthorized exposure or mishandling of sensitive information.

Such unintended data duplication and exposure may impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls over the handling, storage, and transfer of sensitive personal or health information.

Additionally, resource exhaustion caused by this vulnerability could affect system availability, which may also have compliance implications under standards requiring system reliability and data integrity.

Detection Guidance

Detection of this vulnerability involves identifying usage of the vulnerable mv utility from uutils coreutils when moving directory trees containing symbolic links across filesystem boundaries.

You can check for presence of symbolic links in directories that are moved across devices and monitor for unexpected file duplications or resource exhaustion.

  • Use the command `find /path/to/dir -type l` to list symbolic links within a directory.
  • Monitor disk usage with `du -sh /path/to/destination` before and after moves to detect unexpected data duplication.
  • Check for recursive copying or infinite loops by observing mv command behavior or system logs during cross-device moves.
Mitigation Strategies

To mitigate this vulnerability, update the uutils coreutils package to a version that includes the fix merged on March 5, 2026, which preserves symbolic links during cross-device moves instead of expanding them.

Until the update is applied, avoid moving directory trees containing symbolic links across filesystem boundaries using the vulnerable mv utility.

Alternatively, use other tools or commands that correctly handle symbolic links during moves, or manually verify symbolic links before moving.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35365. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart