Medium severity5.5NVD Advisory· Published Apr 22, 2026· Updated May 4, 2026
CVE-2026-35369
CVE-2026-35369
Description
An argument parsing error in the kill utility of uutils coreutils incorrectly interprets kill -1 as a request to send the default signal (SIGTERM) to PID -1. Sending a signal to PID -1 causes the kernel to terminate all processes visible to the caller, potentially leading to a system crash or massive process termination. This differs from GNU coreutils, which correctly recognizes -1 as a signal number in this context and would instead report a missing PID argument.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
coreutilscrates.io | < 0.6.0 | 0.6.0 |
Affected products
2Patches
12d3aebce6712Merge pull request #9700 from sylvestre/issue-9699
2 files changed · +26 −2
src/uu/kill/src/kill.rs+2 −2 modified@@ -137,8 +137,8 @@ pub fn uu_app() -> Command { } fn handle_obsolete(args: &mut Vec<String>) -> Option<usize> { - // Sanity check - if args.len() > 2 { + // Sanity check - need at least the program name and one argument + if args.len() >= 2 { // Old signal can only be in the first argument position let slice = args[1].as_str(); if let Some(signal) = slice.strip_prefix('-') {
tests/by-util/test_kill.rs+24 −0 modified@@ -395,3 +395,27 @@ fn test_kill_with_signal_and_table() { .arg("-t") .fails(); } + +/// Test that `kill -1` (signal without PID) reports "no process ID" error +/// instead of being misinterpreted as pid=-1 which would kill all processes. +/// This matches GNU kill behavior. +#[test] +fn test_kill_signal_only_no_pid() { + // Test with -1 (SIGHUP) + new_ucmd!() + .arg("-1") + .fails() + .stderr_contains("no process ID specified"); + + // Test with -9 (SIGKILL) + new_ucmd!() + .arg("-9") + .fails() + .stderr_contains("no process ID specified"); + + // Test with -TERM + new_ucmd!() + .arg("-TERM") + .fails() + .stderr_contains("no process ID specified"); +}
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/uutils/coreutils/pull/9700nvdIssue TrackingPatchWEB
- github.com/advisories/GHSA-gpcg-h6x2-c26pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-35369ghsaADVISORY
- github.com/uutils/coreutils/commit/2d3aebce6712841bc08b9b94e9078be50a25fc10ghsaWEB
- github.com/uutils/coreutils/releases/tag/0.6.0nvdRelease NotesWEB
News mentions
0No linked articles in our index yet.