CVE-2026-35370
Received Received - Intake
Incorrect Group Calculation in uutils coreutils id Causes Access Risks

Publication date: 2026-04-22

Last updated on: 2026-05-04

Assigner: Canonical Ltd.

Description
The id utility in uutils coreutils miscalculates the groups= section of its output. The implementation uses a user's real GID instead of their effective GID to compute the group list, leading to potentially divergent output compared to GNU coreutils. Because many scripts and automated processes rely on the output of id to make security-critical access-control or permission decisions, this discrepancy can lead to unauthorized access or security misconfigurations.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-05-04
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35370
EUVD
EUVD-2026-25018
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
uutils coreutils *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in the id utility of uutils coreutils causes miscalculation of group information, which can lead to unauthorized access or security misconfigurations. Since many scripts and automated processes rely on this output for security-critical access-control or permission decisions, this discrepancy may undermine the enforcement of access controls.

Such unauthorized access or misconfigurations could potentially impact compliance with standards and regulations like GDPR or HIPAA, which require strict access controls and protection of sensitive data. However, the specific effect on compliance depends on how the affected systems use the id utility and whether this vulnerability leads to actual data exposure or unauthorized actions.

Executive Summary

The vulnerability exists in the id utility of uutils coreutils, where it incorrectly calculates the groups= section of its output.

Specifically, it uses a user's real GID instead of their effective GID to determine the group list, which can cause the output to differ from that of GNU coreutils.

Since many scripts and automated processes depend on the output of id for security-critical access control or permission decisions, this miscalculation can lead to incorrect or misleading information.

Impact Analysis

Because the id utility outputs incorrect group information, scripts and automated systems that rely on this output for access control or permission checks may make wrong decisions.

This can result in unauthorized access or security misconfigurations, potentially allowing users to gain permissions they should not have or causing denial of access where it is needed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35370. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart