CVE-2026-35338

NameCVE-2026-35338
DescriptionA vulnerability in the chmod utility of uutils coreutils allows users to bypass the --preserve-root safety mechanism. The implementation only validates if the target path is literally / and does not canonicalize the path. An attacker or accidental user can use path variants such as /../ or symbolic links to execute destructive recursive operations (e.g., chmod -R 000) on the entire root filesystem, leading to system-wide permission loss and potential complete system breakdown.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1134876

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
rust-coreutils (PTS)bookworm0.0.17-2vulnerable
trixie0.0.30-2vulnerable
sid0.8.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
rust-coreutilssource(unstable)0.6.0-11134876

Notes

[trixie] - rust-coreutils <no-dsa> (Minor issue)
[bookworm] - rust-coreutils <no-dsa> (Minor issue)
https://github.com/uutils/coreutils/pull/10033
Fixed by: https://github.com/uutils/coreutils/commit/413055b378fa6fe2299c5e5f538c8e6e841ab810 (0.6.0)
Search for package or bug name: Reporting problems