CVE-2026-35365
Symlink Expansion Flaw in uutils mv Causes Data Duplication
Publication date: 2026-04-22
Last updated on: 2026-05-04
Assigner: Canonical Ltd.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| uutils | coreutils | to 0.7.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-59 | The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the mv utility can lead to unexpected duplication of sensitive data into unintended locations due to improper handling of symbolic links. This behavior could potentially result in unauthorized exposure or mishandling of sensitive information.
Such unintended data duplication and exposure may impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls over the handling, storage, and transfer of sensitive personal or health information.
Additionally, resource exhaustion caused by this vulnerability could affect system availability, which may also have compliance implications under standards requiring system reliability and data integrity.
Can you explain this vulnerability to me?
The vulnerability exists in the mv utility of uutils coreutils, where it improperly handles directory trees containing symbolic links when moving files across filesystem boundaries.
Instead of preserving symbolic links during the move, the utility expands them by copying the actual linked targets as real files or directories at the destination.
This behavior can cause problems such as resource exhaustion if the symlinks point to large external directories, unexpected duplication of sensitive data into unintended locations, or infinite recursion and repeated copying if there are symlink loops.
How can this vulnerability impact me? :
This vulnerability can impact you by causing resource exhaustion, such as running out of disk space or excessive processing time, due to the expansion of symbolic links pointing to large directories.
It can also lead to unexpected duplication of sensitive data into locations where it was not intended to be copied, potentially exposing confidential information.
Additionally, if there are symlink loops, the utility may enter infinite recursion, repeatedly copying files and further exacerbating resource consumption.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying usage of the vulnerable mv utility from uutils coreutils when moving directory trees containing symbolic links across filesystem boundaries.
You can check for presence of symbolic links in directories that are moved across devices and monitor for unexpected file duplications or resource exhaustion.
- Use the command `find /path/to/dir -type l` to list symbolic links within a directory.
- Monitor disk usage with `du -sh /path/to/destination` before and after moves to detect unexpected data duplication.
- Check for recursive copying or infinite loops by observing mv command behavior or system logs during cross-device moves.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the uutils coreutils package to a version that includes the fix merged on March 5, 2026, which preserves symbolic links during cross-device moves instead of expanding them.
Until the update is applied, avoid moving directory trees containing symbolic links across filesystem boundaries using the vulnerable mv utility.
Alternatively, use other tools or commands that correctly handle symbolic links during moves, or manually verify symbolic links before moving.