CVE-2026-35350

MEDIUM

uutils coreutils cp Unexpected Privileged Executable Creation with -p

Title source: cna

Description

The cp utility in uutils coreutils fails to properly handle setuid and setgid bits when ownership preservation fails. When copying with the -p (preserve) flag, the utility applies the source mode bits even if the chown operation is unsuccessful. This can result in a user-owned copy retaining original privileged bits, creating unexpected privileged executables that violate local security policies. This differs from GNU cp, which clears these bits when ownership cannot be preserved.

References (1)

[Issue Tracking] https://github.com/uutils/coreutils/issues/9750

Scores

CVSS v3 6.6

EPSS 0.0001

EPSS Percentile 1.8%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-281

Status published

Products (2)

Uutils/coreutils

uutils/coreutils

Published Apr 22, 2026

Tracked Since Apr 22, 2026