Medium severity6.6NVD Advisory· Published Apr 22, 2026· Updated Apr 24, 2026
CVE-2026-35350
CVE-2026-35350
Description
The cp utility in uutils coreutils fails to properly handle setuid and setgid bits when ownership preservation fails. When copying with the -p (preserve) flag, the utility applies the source mode bits even if the chown operation is unsuccessful. This can result in a user-owned copy retaining original privileged bits, creating unexpected privileged executables that violate local security policies. This differs from GNU cp, which clears these bits when ownership cannot be preserved.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
coreutilscrates.io | <= 0.8.0 | — |
Affected products
4- osv-coords3 versions
< 0.9.0-r0+ 2 more
- (no CPE)range: < 0.9.0-r0
- (no CPE)range: < 0.9.0-r0
- (no CPE)range: <= 0.8.0
Patches
Vulnerability mechanics
References
3- github.com/uutils/coreutils/issues/9750nvdExploitIssue TrackingVendor AdvisoryWEB
- github.com/advisories/GHSA-x2wv-9p67-mh9wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-35350ghsaADVISORY
News mentions
0No linked articles in our index yet.