CVE-2026-35372
CVE-2026-35372 is a medium-severity vulnerability in Uutils Coreutils with a CVSS 3.x base score of 5.0. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-61.
Key facts
- Severity: Medium (CVSS 3.x base score 5.0)
- EPSS exploit prediction: 0% (4th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-25020
- Weakness: CWE-61
- Affected product: Uutils Coreutils
- Published:
- Last modified:
Description
A logic error in the ln utility of uutils coreutils allows the utility to dereference a symbolic link target even when the --no-dereference (or -n) flag is explicitly provided. The implementation previously only honored the "no-dereference" intent if the --force (overwrite) mode was also enabled. This flaw causes ln to follow a symbolic link that points to a directory and create new links inside that target directory instead of treating the symbolic link itself as the destination. In environments where a privileged user or system script uses ln -n to update a symlink, a local attacker could manipulate existing symbolic links to redirect file creation into sensitive directories, potentially leading to unauthorized file creation or system misconfiguration.
Frequently asked questions
- What is CVE-2026-35372?
- A logic error in the ln utility of uutils coreutils allows the utility to dereference a symbolic link target even when the --no-dereference (or -n) flag is explicitly provided. The implementation previously only honored the "no-dereference" intent if the --force (overwrite) mode was also enabled. This flaw causes ln to follow a symbolic link that points to a directory and create new links inside that target directory instead of treating the symbolic link itself as the destination. In environments where a privileged user or system script uses ln -n to update a symlink, a local attacker could manipulate existing symbolic links to redirect file creation into sensitive directories, potentially leading to unauthorized file creation or system misconfiguration.
- How severe is CVE-2026-35372?
- CVE-2026-35372 has a CVSS 3.x base score of 5.0, rated medium severity. It is exploitable over local access with low attack complexity, requires low privileges and user interaction. Impact on confidentiality is none, integrity high, and availability none.
- Is CVE-2026-35372 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (4th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-35372?
- CVE-2026-35372 affects Uutils Coreutils. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-35372?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2026-35372 have an EU (EUVD) identifier?
- Yes. CVE-2026-35372 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-25020.
- When was CVE-2026-35372 published?
- CVE-2026-35372 was published on 2026-04-22 and last updated on 2026-06-17.
References
- https://github.com/uutils/coreutils/pull/11253
- https://github.com/uutils/coreutils/releases/tag/0.8.0
Affected products (1)
- cpe:2.3:a:uutils:coreutils:*:*:*:*:*:rust:*:*
More vulnerabilities in Uutils Coreutils
- CVE-2026-35368 — High (CVSS 7.8): A vulnerability exists in the chroot utility of uutils coreutils when using the --userspec option. The utility resolves…
- CVE-2026-35338 — High (CVSS 7.3): A vulnerability in the chmod utility of uutils coreutils allows users to bypass the --preserve-root safety mechanism.…
- CVE-2026-35341 — High (CVSS 7.1): A vulnerability in uutils coreutils mkfifo allows for the unauthorized modification of permissions on existing files.…
- CVE-2026-35352 — High (CVSS 7.0): A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mkfifo utility of uutils coreutils. The utility…
- CVE-2026-35349 — Medium (CVSS 6.7): A vulnerability in the rm utility of uutils coreutils allows a bypass of the --preserve-root protection. The…
- CVE-2026-35365 — Medium (CVSS 6.6): The mv utility in uutils coreutils improperly handles directory trees containing symbolic links during moves across…
All CVEs affecting Uutils Coreutils →
Other CWE-61 vulnerabilities
- CVE-2026-34078 — Critical (CVSS 10.0): Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the Flatpak portal accepts paths…
- CVE-2025-62596 — Critical (CVSS 10.0): Youki is a container runtime written in Rust. In versions 0.5.6 and below, youki’s apparmor handling performs…
- CVE-2025-62161 — Critical (CVSS 10.0): Youki is a container runtime written in Rust. In versions 0.5.6 and below, the initial validation of the source…
- CVE-2025-23394 — Critical (CVSS 9.8): A UNIX Symbolic Link (Symlink) Following vulnerability in openSUSE Tumbleweed cyrus-imapd allows escalation from cyrus…
- CVE-2024-54661 — Critical (CVSS 9.8): readline.sh in socat before1.8.0.2 relies on the /tmp/$USER/stderr2 file.
- CVE-2026-55447 — Critical (CVSS 9.6): Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, by controlling a files…