Medium severity4.2NVD Advisory· Published Apr 22, 2026· Updated Apr 27, 2026

CVE-2026-35351

Description

The mv utility in uutils coreutils fails to preserve file ownership during moves across different filesystem boundaries. The utility falls back to a copy-and-delete routine that creates the destination file using the caller's UID/GID rather than the source's metadata. This flaw breaks backups and migrations, causing files moved by a privileged user (e.g., root) to become root-owned unexpectedly, which can lead to information disclosure or restricted access for the intended owners.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
coreutilscrates.io	<= 0.8.0	—

Affected products

Uutils/Coreutils
cpe:2.3:a:uutils:coreutils:-:*:*:*:*:rust:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/uutils/coreutils/issues/9714nvdExploitIssue TrackingVendor AdvisoryWEB
github.com/advisories/GHSA-957r-r8gc-vv3hghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-35351ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.273
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000