CVE-2026-35370 — MEDIUM (4.4)

Vulnerability Description

The id utility in uutils coreutils miscalculates the groups= section of its output. The implementation uses a user's real GID instead of their effective GID to compute the group list, leading to potentially divergent output compared to GNU coreutils. Because many scripts and automated processes rely on the output of id to make security-critical access-control or permission decisions, this discrepancy can lead to unauthorized access or security misconfigurations.

CVSS Score

4.4

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Uutils	Coreutils	-

Related Weaknesses (CWE)

CWE-863

References

https://github.com/uutils/coreutils/issues/10006ExploitIssue Tracking
https://github.com/uutils/coreutils/issues/10006ExploitIssue Tracking

FAQ

What is CVE-2026-35370?

CVE-2026-35370 is a vulnerability with a CVSS score of 4.4 (MEDIUM). The id utility in uutils coreutils miscalculates the groups= section of its output. The implementation uses a user's real GID instead of their effective GID to compute the group list, leading to poten...

How severe is CVE-2026-35370?

CVE-2026-35370 has been rated MEDIUM with a CVSS base score of 4.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-35370?

Check the references section above for vendor advisories and patch information. Affected products include: Uutils Coreutils.