VIR Vulnerability Intelligence Relay

CVE-2026-35351

medium
Published 2026-04-22 Β· Modified 2026-06-02
πŸ’¬ Discuss on Community ✚ Propose mitigation
CVSS v3
β€”
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CVSS v4 NEW
β€”
not yet in upstream
VIR risk
5.5

Description

uutils coreutils doesn't preserve file ownership during moves across different filesystem boundaries

Predictions

Exploit likelihood
20%
Patch ETA
β€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Debian Security Tracker Β· View original β†— Β· DFSG

CVE-2026-35351 NameCVE-2026-35351 DescriptionThe mv utility in uutils coreutils fails to preserve file ownership during moves across different filesystem boundaries. The utility falls back to a copy-and-delete routine that creates the destination file using the caller's UID/GID rather than the source's metadata. This flaw breaks backups and migrations, causing files moved by a privileged user…

CVE-2026-35351

NameCVE-2026-35351
DescriptionThe mv utility in uutils coreutils fails to preserve file ownership during moves across different filesystem boundaries. The utility falls back to a copy-and-delete routine that creates the destination file using the caller's UID/GID rather than the source's metadata. This flaw breaks backups and migrations, causing files moved by a privileged user (e.g., root) to become root-owned unexpectedly, which can lead to information disclosure or restricted access for the intended owners.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1136041

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
rust-coreutils (PTS)bookworm0.0.17-2vulnerable
trixie0.0.30-2vulnerable
sid0.9.0-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
rust-coreutilssource(unstable)(unfixed)1136041

Notes

[trixie] - rust-coreutils <no-dsa> (Minor issue)
[bookworm] - rust-coreutils <no-dsa> (Minor issue)
https://github.com/uutils/coreutils/issues/9714
https://github.com/uutils/coreutils/pull/11706
Fixed by: https://github.com/uutils/coreutils/commit/874efa7cc3361cb5af2a97db869147f910bcab44

Home - Debian Security - Source (Git)

Apply commands

text fix
Notes
[trixie] - rust-coreutils <no-dsa> (Minor issue)[bookworm] - rust-coreutils <no-dsa> (Minor issue)https://github.com/uutils/coreutils/issues/9714https://github.com/uutils/coreutils/pull/11706Fixed by: https://github.com/uutils/coreutils/commit/874efa7cc3361cb5af2a97db869147f910bcab44

OS impact
debian Debian Mixed 3 releases
VersionStatusFixed in
trixie Affected β€”
sid Fixed 0.9.0-1
bookworm Affected β€”

Package impact
EcosystemPackageVulnerableFixed
rust crates.iocoreutils<=0.8.0
rust RUSTcoreutils<= 0.8.0

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.