Medium severity4.4NVD Advisory· Published Apr 22, 2026· Updated May 4, 2026
CVE-2026-35370
CVE-2026-35370
Description
The id utility in uutils coreutils miscalculates the groups= section of its output. The implementation uses a user's real GID instead of their effective GID to compute the group list, leading to potentially divergent output compared to GNU coreutils. Because many scripts and automated processes rely on the output of id to make security-critical access-control or permission decisions, this discrepancy can lead to unauthorized access or security misconfigurations.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
coreutilscrates.io | <= 0.8.0 | — |
Affected products
5- osv-coords3 versions
< 0.9.0-r0+ 2 more
- (no CPE)range: < 0.9.0-r0
- (no CPE)range: < 0.9.0-r0
- (no CPE)range: <= 0.8.0
Patches
Vulnerability mechanics
References
3- github.com/uutils/coreutils/issues/10006nvdExploitIssue TrackingWEB
- github.com/advisories/GHSA-q94g-3gcf-66x7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-35370ghsaADVISORY
News mentions
0No linked articles in our index yet.