coreutils (crates.io) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the crates.io package coreutils, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (44)
CVE-2026-35368 — CVSS 7.8 (high): A vulnerability exists in the chroot utility of uutils coreutils when using the --userspec option. The utility resolves the user…
CVE-2026-35338 — CVSS 7.3 (high): A vulnerability in the chmod utility of uutils coreutils allows users to bypass the --preserve-root safety mechanism. The implementation…
CVE-2026-35341 — CVSS 7.1 (high): A vulnerability in uutils coreutils mkfifo allows for the unauthorized modification of permissions on existing files. When mkfifo fails to…
CVE-2026-35352 — CVSS 7.0 (high): A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mkfifo utility of uutils coreutils. The utility creates a FIFO and…
CVE-2026-35349 — CVSS 6.7 (medium): A vulnerability in the rm utility of uutils coreutils allows a bypass of the --preserve-root protection. The implementation uses a…
CVE-2026-35350 — CVSS 6.6 (medium): The cp utility in uutils coreutils fails to properly handle setuid and setgid bits when ownership preservation fails. When copying with the…
CVE-2026-35365 — CVSS 6.6 (medium): The mv utility in uutils coreutils improperly handles directory trees containing symbolic links during moves across filesystem boundaries…
CVE-2026-35364 — CVSS 6.3 (medium): A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mv utility of uutils coreutils during cross-device operations. The…
CVE-2026-35360 — CVSS 6.3 (medium): The touch utility in uutils coreutils is vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition during file creation. When…
CVE-2026-35374 — CVSS 6.3 (medium): A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the split utility of uutils coreutils. The program attempts to prevent data…
CVE-2026-35355 — CVSS 6.3 (medium): The install utility in uutils coreutils is vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition during file installation…
CVE-2026-35356 — CVSS 6.3 (medium): A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the install utility of uutils coreutils when using the -D flag. The command…
CVE-2026-35363 — CVSS 5.6 (medium): A vulnerability in the rm utility of uutils coreutils allows the bypass of safeguard mechanisms intended to protect the current directory…
CVE-2026-35348 — CVSS 5.5 (medium): The sort utility in uutils coreutils is vulnerable to a process panic when using the --files0-from option with inputs containing non-UTF-8…
CVE-2026-35339 — CVSS 5.5 (medium): The recursive mode (-R) of the chmod utility in uutils coreutils incorrectly handles exit codes when processing multiple files. The final…
CVE-2026-35340 — CVSS 5.5 (medium): A flaw in the ChownExecutor used by uutils coreutils chown and chgrp causes the utilities to return an incorrect exit code during recursive…
CVE-2026-35369 — CVSS 5.5 (medium): An argument parsing error in the kill utility of uutils coreutils incorrectly interprets kill -1 as a request to send the default signal…
CVE-2026-35380 — CVSS 5.5 (medium): A logic error in the cut utility of uutils coreutils causes the program to incorrectly interpret the literal two-byte string '' (two single…
CVE-2026-35345 — CVSS 5.3 (medium): A vulnerability in the tail utility of uutils coreutils allows for the exfiltration of sensitive file contents when using the --follow=name…
CVE-2026-35372 — CVSS 5.0 (medium): A logic error in the ln utility of uutils coreutils allows the utility to dereference a symbolic link target even when the --no-dereference…
CVE-2026-35357 — CVSS 4.7 (medium): The cp utility in uutils coreutils is vulnerable to an information disclosure race condition. Destination files are initially created with…
CVE-2026-35359 — CVSS 4.7 (medium): A Time-of-Check to Time-of-Use (TOCTOU) vulnerability in the cp utility of uutils coreutils allows an attacker to bypass no-dereference…
CVE-2026-35354 — CVSS 4.7 (medium): A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the mv utility of uutils coreutils during cross-device moves. The extended…
CVE-2026-35376 — CVSS 4.5 (medium): A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the chcon utility of uutils coreutils during recursive operations. The…
CVE-2026-35370 — CVSS 4.4 (medium): The id utility in uutils coreutils miscalculates the groups= section of its output. The implementation uses a user's real GID instead of…
CVE-2026-35358 — CVSS 4.4 (medium): The cp utility in uutils coreutils, when performing recursive copies (-R), incorrectly treats character and block device nodes as stream…
CVE-2026-35366 — CVSS 4.4 (medium): The printenv utility in uutils coreutils fails to display environment variables containing invalid UTF-8 byte sequences. While POSIX…
CVE-2026-35347 — CVSS 4.4 (medium): The comm utility in uutils coreutils incorrectly consumes data from non-regular file inputs before performing comparison operations. The…
CVE-2026-35351 — CVSS 4.2 (medium): The mv utility in uutils coreutils fails to preserve file ownership during moves across different filesystem boundaries. The utility falls…
CVE-2026-35362 — CVSS 3.6 (low): The safe_traversal module in uutils coreutils, which provides protection against Time-of-Check to Time-of-Use (TOCTOU) symlink races using…
CVE-2026-35361 — CVSS 3.4 (low): The mknod utility in uutils coreutils fails to handle security labels atomically by creating device nodes before setting the SELinux…
CVE-2026-35353 — CVSS 3.3 (low): The mkdir utility in uutils coreutils incorrectly applies permissions when using the -m flag by creating a directory with umask-derived…
CVE-2026-35346 — CVSS 3.3 (low): The comm utility in uutils coreutils silently corrupts data by performing lossy UTF-8 conversion on all output lines. The implementation…
CVE-2026-35344 — CVSS 3.3 (low): The dd utility in uutils coreutils suppresses errors during file truncation operations by unconditionally calling Result::ok() on…
CVE-2026-35367 — CVSS 3.3 (low): The nohup utility in uutils coreutils creates its default output file, nohup.out, without specifying explicit restricted permissions. This…
CVE-2026-35343 — CVSS 3.3 (low): The cut utility in uutils coreutils incorrectly handles the -s (only-delimited) option when a newline character is specified as the…
CVE-2026-35381 — CVSS 3.3 (low): A logic error in the cut utility of uutils coreutils causes the utility to ignore the -s (only-delimited) flag when using the -z…
CVE-2026-35371 — CVSS 3.3 (low): The id utility in uutils coreutils exhibits incorrect behavior in its "pretty print" output when the real UID and effective UID differ. The…
CVE-2026-35373 — CVSS 3.3 (low): A logic error in the ln utility of uutils coreutils causes the program to reject source paths containing non-UTF-8 filename bytes when…
CVE-2026-35342 — CVSS 3.3 (low): The mktemp utility in uutils coreutils fails to properly handle an empty TMPDIR environment variable. Unlike GNU mktemp, which falls back…
CVE-2026-35375 — CVSS 3.3 (low): A logic error in the split utility of uutils coreutils causes the corruption of output filenames when provided with non-UTF-8 prefix or…
CVE-2026-35377 — CVSS 3.3 (low): A logic error in the env utility of uutils coreutils causes a failure to correctly parse command-line arguments when utilizing the -S…
CVE-2026-35378 — CVSS 3.3 (low): A logic error in the expr utility of uutils coreutils causes the program to evaluate parenthesized subexpressions during the parsing phase…
CVE-2026-35379 — CVSS 3.3 (low): A logic error in the tr utility of uutils coreutils causes the program to incorrectly define the [:graph:] and [:print:] character classes…