Medium severity6.6NVD Advisory· Published Apr 22, 2026· Updated Apr 24, 2026

CVE-2026-35350

Description

The cp utility in uutils coreutils fails to properly handle setuid and setgid bits when ownership preservation fails. When copying with the -p (preserve) flag, the utility applies the source mode bits even if the chown operation is unsuccessful. This can result in a user-owned copy retaining original privileged bits, creating unexpected privileged executables that violate local security policies. This differs from GNU cp, which clears these bits when ownership cannot be preserved.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
coreutilscrates.io	<= 0.8.0	—

Affected products

Uutils/Coreutils
cpe:2.3:a:uutils:coreutils:-:*:*:*:*:rust:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/uutils/coreutils/issues/9750nvdExploitIssue TrackingVendor AdvisoryWEB
github.com/advisories/GHSA-x2wv-9p67-mh9wghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-35350ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.429
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000