Vulnerability Description
A flaw in the ChownExecutor used by uutils coreutils chown and chgrp causes the utilities to return an incorrect exit code during recursive operations. The final exit code is determined only by the last file processed. If the last operation succeeds, the command returns 0 even if earlier ownership or group changes failed due to permission errors. This can lead to security misconfigurations where administrative scripts incorrectly assume that ownership has been successfully transferred across a directory tree.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Uutils | Coreutils | < 0.6.0 |
Related Weaknesses (CWE)
References
- https://github.com/uutils/coreutils/pull/10035Issue TrackingPatch
- https://github.com/uutils/coreutils/releases/tag/0.6.0Release Notes
FAQ
What is CVE-2026-35340?
CVE-2026-35340 is a vulnerability with a CVSS score of 5.5 (MEDIUM). A flaw in the ChownExecutor used by uutils coreutils chown and chgrp causes the utilities to return an incorrect exit code during recursive operations. The final exit code is determined only by the la...
How severe is CVE-2026-35340?
CVE-2026-35340 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-35340?
Check the references section above for vendor advisories and patch information. Affected products include: Uutils Coreutils.