Medium severity5.5NVD Advisory· Published Apr 22, 2026· Updated May 4, 2026
CVE-2026-35340
CVE-2026-35340
Description
A flaw in the ChownExecutor used by uutils coreutils chown and chgrp causes the utilities to return an incorrect exit code during recursive operations. The final exit code is determined only by the last file processed. If the last operation succeeds, the command returns 0 even if earlier ownership or group changes failed due to permission errors. This can lead to security misconfigurations where administrative scripts incorrectly assume that ownership has been successfully transferred across a directory tree.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
coreutilscrates.io | < 0.6.0 | 0.6.0 |
Affected products
3Patches
Vulnerability mechanics
References
5- github.com/uutils/coreutils/pull/10035nvdIssue TrackingPatchWEB
- github.com/advisories/GHSA-88ch-q68x-36v7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-35340ghsaADVISORY
- github.com/uutils/coreutils/commit/ebc08af9c34138f474b32ea0ef34bed3b086a3edghsaWEB
- github.com/uutils/coreutils/releases/tag/0.6.0nvdRelease NotesWEB
News mentions
0No linked articles in our index yet.