CVE-2026-35372
Received Received - Intake

Logic Error in uutils coreutils ln Causes Symlink Dereference

Vulnerability report for CVE-2026-35372, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-22

Last updated on: 2026-05-04

Assigner: Canonical Ltd.

Description

A logic error in the ln utility of uutils coreutils allows the utility to dereference a symbolic link target even when the --no-dereference (or -n) flag is explicitly provided. The implementation previously only honored the "no-dereference" intent if the --force (overwrite) mode was also enabled. This flaw causes ln to follow a symbolic link that points to a directory and create new links inside that target directory instead of treating the symbolic link itself as the destination. In environments where a privileged user or system script uses ln -n to update a symlink, a local attacker could manipulate existing symbolic links to redirect file creation into sensitive directories, potentially leading to unauthorized file creation or system misconfiguration.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-22
Last Modified
2026-05-04
Generated
2026-07-06
AI Q&A
2026-04-22
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
uutils coreutils to 0.8.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-61 The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a logic error in the ln utility of uutils coreutils. It causes the utility to dereference a symbolic link target even when the --no-dereference (or -n) flag is explicitly provided. Normally, the --no-dereference flag should prevent ln from following symbolic links, but due to this flaw, ln only respects this flag if the --force (overwrite) mode is also enabled.

As a result, ln follows a symbolic link that points to a directory and creates new links inside that target directory instead of treating the symbolic link itself as the destination.

This means that if a privileged user or system script uses ln -n to update a symlink, a local attacker could manipulate existing symbolic links to redirect file creation into sensitive directories.

Compliance Impact

The vulnerability in the ln utility allows unintended dereferencing of symbolic links, which can lead to unauthorized file creation or system misconfiguration by local attackers. This behavior could potentially impact compliance with standards and regulations such as GDPR or HIPAA, which require strict controls over data integrity and access to sensitive information.

Specifically, if an attacker exploits this flaw to redirect file creation into sensitive directories, it may result in unauthorized modification or insertion of files, violating principles of data integrity and security mandated by these regulations.

However, the provided information does not explicitly detail the direct compliance impact or mention any regulatory assessments.

Detection Guidance

Detection of this vulnerability involves verifying whether the ln utility in uutils coreutils improperly dereferences symbolic links when the --no-dereference (or -n) flag is used without the --force flag.

You can test this behavior by creating a symbolic link to a directory and then using the ln command with the --no-dereference flag to see if it creates links inside the target directory instead of treating the symlink itself as the destination.

  • Create a directory and a symbolic link pointing to it: mkdir /tmp/target_dir; ln -s /tmp/target_dir /tmp/symlink_dir
  • Run the ln command with the --no-dereference flag to create a new link: ln -n /tmp/source_file /tmp/symlink_dir/new_link
  • Check if the new link was created inside /tmp/target_dir (vulnerable behavior) or if it treated /tmp/symlink_dir as the link destination (correct behavior).
Mitigation Strategies

To mitigate this vulnerability, update the uutils coreutils package to a version that includes the fix for the ln utility's --no-dereference flag behavior.

The fix was merged on March 11, 2026, ensuring that ln properly respects the --no-dereference flag and does not dereference symbolic links unintentionally.

Until the update is applied, avoid using ln with the --no-dereference flag in privileged scripts or environments where symbolic links could be manipulated by local attackers.

Impact Analysis

The vulnerability can allow a local attacker to cause unauthorized file creation or system misconfiguration by manipulating symbolic links.

Specifically, because ln may follow a symbolic link and create new links inside the linked directory instead of the symlink itself, attackers can redirect file creation into sensitive directories.

This could lead to security issues such as unauthorized modification of system files or configuration, potentially compromising system integrity.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35372. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart