CVE-2026-35370
Received Received - Intake

Incorrect Group Calculation in uutils coreutils id Causes Access Risks

Vulnerability report for CVE-2026-35370, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-22

Last updated on: 2026-05-04

Assigner: Canonical Ltd.

Description

The id utility in uutils coreutils miscalculates the groups= section of its output. The implementation uses a user's real GID instead of their effective GID to compute the group list, leading to potentially divergent output compared to GNU coreutils. Because many scripts and automated processes rely on the output of id to make security-critical access-control or permission decisions, this discrepancy can lead to unauthorized access or security misconfigurations.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-22
Last Modified
2026-05-04
Generated
2026-07-06
AI Q&A
2026-04-22
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
uutils coreutils *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability exists in the id utility of uutils coreutils, where it incorrectly calculates the groups= section of its output.

Specifically, it uses a user's real GID instead of their effective GID to determine the group list, which can cause the output to differ from that of GNU coreutils.

Since many scripts and automated processes depend on the output of id for security-critical access control or permission decisions, this miscalculation can lead to incorrect or misleading information.

Impact Analysis

Because the id utility outputs incorrect group information, scripts and automated systems that rely on this output for access control or permission checks may make wrong decisions.

This can result in unauthorized access or security misconfigurations, potentially allowing users to gain permissions they should not have or causing denial of access where it is needed.

Compliance Impact

The vulnerability in the id utility of uutils coreutils causes miscalculation of group information, which can lead to unauthorized access or security misconfigurations. Since many scripts and automated processes rely on this output for security-critical access-control or permission decisions, this discrepancy may undermine the enforcement of access controls.

Such unauthorized access or misconfigurations could potentially impact compliance with standards and regulations like GDPR or HIPAA, which require strict access controls and protection of sensitive data. However, the specific effect on compliance depends on how the affected systems use the id utility and whether this vulnerability leads to actual data exposure or unauthorized actions.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35370. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart