CVE-2026-35368
Arbitrary Code Execution via chroot --userspec NSS Module Injection
Publication date: 2026-04-22
Last updated on: 2026-04-24
Assigner: Canonical Ltd.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| uutils | coreutils | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-426 | The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if the uutils/coreutils chroot utility is used with the --userspec option and whether the new root directory (NEWROOT) is writable by untrusted users.
One can inspect the permissions of the new root directory to ensure it is not writable by attackers, as writable NEWROOT allows injection of malicious NSS modules.
Additionally, monitoring for unexpected creation of files outside the chroot jail (e.g., /tmp/pwned) after running chroot commands with --userspec may indicate exploitation.
Suggested commands include:
- Check permissions of the new root directory: ls -ld /path/to/newroot
- Check for suspicious shared libraries inside the new root: find /path/to/newroot -name 'libnss_*.so.2'
- Run chroot with --userspec on a test user and check for unexpected files outside the jail, e.g., ls /tmp/pwned
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to execute arbitrary code as root by injecting malicious NSS modules if the new root directory is writable. Such a privilege escalation or container escape can lead to unauthorized access to sensitive data and system resources.
Consequently, this can impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and access. Exploitation of this vulnerability could result in data breaches or unauthorized data processing, violating these regulatory requirements.
Can you explain this vulnerability to me?
This vulnerability exists in the chroot utility of uutils coreutils when using the --userspec option. The utility resolves the user specification via getpwnam() after entering the chroot environment but before dropping root privileges. On systems using glibc, this process can cause the Name Service Switch (NSS) to load shared libraries from the new root directory. If the new root directory is writable by an attacker, they can inject a malicious NSS module, which can then execute arbitrary code with root privileges.
How can this vulnerability impact me? :
This vulnerability can lead to a full container escape or privilege escalation. An attacker who can write to the new root directory can inject malicious code that executes with root privileges, potentially compromising the entire system or container.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include ensuring that the new root directory used with chroot is not writable by untrusted users or attackers.
Avoid using the --userspec option with the vulnerable uutils/coreutils chroot utility until a patch is applied.
Apply updates or patches provided by the uutils/coreutils project or your distribution that fix the issue by dropping privileges before resolving the user specification.
As a temporary workaround, use the GNU coreutils chroot utility instead of the vulnerable uutils/coreutils version, as the PoC shows it is not vulnerable.