Medium severity4.4NVD Advisory· Published Apr 22, 2026· Updated May 4, 2026
CVE-2026-35370
CVE-2026-35370
Description
The id utility in uutils coreutils miscalculates the groups= section of its output. The implementation uses a user's real GID instead of their effective GID to compute the group list, leading to potentially divergent output compared to GNU coreutils. Because many scripts and automated processes rely on the output of id to make security-critical access-control or permission decisions, this discrepancy can lead to unauthorized access or security misconfigurations.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
coreutilscrates.io | <= 0.8.0 | — |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/uutils/coreutils/issues/10006nvdExploitIssue TrackingWEB
- github.com/advisories/GHSA-q94g-3gcf-66x7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-35370ghsaADVISORY
News mentions
0No linked articles in our index yet.