CVE-2026-35371
Received Received - Intake
Incorrect UID Lookup in uutils coreutils id Causes Misleading Output

Publication date: 2026-04-22

Last updated on: 2026-05-04

Assigner: Canonical Ltd.

Description
The id utility in uutils coreutils exhibits incorrect behavior in its "pretty print" output when the real UID and effective UID differ. The implementation incorrectly uses the effective GID instead of the effective UID when performing a name lookup for the effective user. This results in misleading diagnostic output that can cause automated scripts or system administrators to make incorrect decisions regarding file permissions or access control.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-05-04
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35371
EUVD
EUVD-2026-25019
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
uutils coreutils *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-451 The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the id utility of uutils coreutils, where the "pretty print" output behaves incorrectly when the real UID and effective UID differ.

Specifically, the implementation mistakenly uses the effective GID instead of the effective UID during the name lookup for the effective user.

This causes misleading diagnostic output, which can confuse automated scripts or system administrators.

Impact Analysis

The misleading output from the id utility can lead to incorrect decisions about file permissions or access control.

Automated scripts or system administrators relying on this output might misinterpret user identity information, potentially causing improper permission settings or security configurations.

Compliance Impact

The vulnerability causes the `id` utility in uutils coreutils to produce misleading diagnostic output when the real UID and effective UID differ, due to incorrect use of the effective GID instead of the effective UID during name lookup.

This misleading output can cause automated scripts or system administrators to make incorrect decisions regarding file permissions or access control.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, inaccurate permission or access control decisions could potentially lead to unauthorized access or improper handling of sensitive data, which may impact compliance with such regulations.

Detection Guidance

This vulnerability can be detected by testing the behavior of the uutils coreutils `id` command when the real UID and effective UID differ, especially when manipulating effective group IDs. Specifically, running the `id` command with manipulated user and group IDs can reveal incorrect or crashing behavior.

  • Use the `setpriv` command to change effective user and group IDs and observe the output of the `id` command.
  • Example commands to detect the issue include:
  • 1. `sudo setpriv --regid 1337 --clear-groups target/release/id -p login root` β€” this may cause a crash with an error like "No such id: 1337".
  • 2. `sudo setpriv --reuid 3000 --egid 2000 --clear-groups target/release/id` β€” check if the groups output is incorrect (e.g., shows `groups=0(root)` instead of `groups=2000(u2000)`).
  • 3. `sudo setpriv --euid 3000 --egid 2000 --clear-groups target/release/id` β€” verify if the uid output is inconsistent (e.g., shows `uid=0(root)` instead of `uid=3000(u3000)`).
Mitigation Strategies

To mitigate the vulnerability in the uutils coreutils 'id' command, you should avoid using the affected 'id' utility in environments where the real UID and effective UID differ, especially when scripts or administrators rely on its output for access control decisions.

Additionally, refrain from running the 'id' command with manipulated or non-existent group IDs that could trigger crashes or incorrect output.

Consider using the standard GNU coreutils 'id' command as a safer alternative until the issue in uutils coreutils is resolved.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35371. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart