CVE-2026-35371
Incorrect UID Lookup in uutils coreutils id Causes Misleading Output
Publication date: 2026-04-22
Last updated on: 2026-05-04
Assigner: Canonical Ltd.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| uutils | coreutils | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-451 | The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability causes the `id` utility in uutils coreutils to produce misleading diagnostic output when the real UID and effective UID differ, due to incorrect use of the effective GID instead of the effective UID during name lookup.
This misleading output can cause automated scripts or system administrators to make incorrect decisions regarding file permissions or access control.
While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, inaccurate permission or access control decisions could potentially lead to unauthorized access or improper handling of sensitive data, which may impact compliance with such regulations.
Can you explain this vulnerability to me?
The vulnerability exists in the id utility of uutils coreutils, where the "pretty print" output behaves incorrectly when the real UID and effective UID differ.
Specifically, the implementation mistakenly uses the effective GID instead of the effective UID during the name lookup for the effective user.
This causes misleading diagnostic output, which can confuse automated scripts or system administrators.
How can this vulnerability impact me? :
The misleading output from the id utility can lead to incorrect decisions about file permissions or access control.
Automated scripts or system administrators relying on this output might misinterpret user identity information, potentially causing improper permission settings or security configurations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the behavior of the uutils coreutils `id` command when the real UID and effective UID differ, especially when manipulating effective group IDs. Specifically, running the `id` command with manipulated user and group IDs can reveal incorrect or crashing behavior.
- Use the `setpriv` command to change effective user and group IDs and observe the output of the `id` command.
- Example commands to detect the issue include:
- 1. `sudo setpriv --regid 1337 --clear-groups target/release/id -p login root` β this may cause a crash with an error like "No such id: 1337".
- 2. `sudo setpriv --reuid 3000 --egid 2000 --clear-groups target/release/id` β check if the groups output is incorrect (e.g., shows `groups=0(root)` instead of `groups=2000(u2000)`).
- 3. `sudo setpriv --euid 3000 --egid 2000 --clear-groups target/release/id` β verify if the uid output is inconsistent (e.g., shows `uid=0(root)` instead of `uid=3000(u3000)`).
What immediate steps should I take to mitigate this vulnerability?
To mitigate the vulnerability in the uutils coreutils 'id' command, you should avoid using the affected 'id' utility in environments where the real UID and effective UID differ, especially when scripts or administrators rely on its output for access control decisions.
Additionally, refrain from running the 'id' command with manipulated or non-existent group IDs that could trigger crashes or incorrect output.
Consider using the standard GNU coreutils 'id' command as a safer alternative until the issue in uutils coreutils is resolved.