CVE-2026-35358
MEDIUMuutils coreutils cp Semantic Loss and Potential Denial of Service with -R via Device Node Stream Reading
Title source: cnaDescription
The cp utility in uutils coreutils, when performing recursive copies (-R), incorrectly treats character and block device nodes as stream sources rather than preserving them. Because the implementation reads bytes into regular files at the destination instead of using mknod, device semantics are destroyed (e.g., /dev/null becomes a regular file). This behavior can lead to runtime denial of service through disk exhaustion or process hangs when reading from unbounded device nodes.
References (3)
Core 3
Core References
Patch patch
https://github.com/uutils/coreutils/pull/11163
Issue Tracking issue-tracking
https://github.com/uutils/coreutils/issues/9746
Vendor Advisory vendor-advisory
https://github.com/uutils/coreutils/releases/tag/0.7.0
Scores
CVSS v3
4.4
EPSS
0.0018
EPSS Percentile
7.5%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-706
Status
published
Products (3)
crates.io/coreutils
0 - 0.7.0crates.io
Uutils/coreutils
< 0.7.0
uutils/coreutils
< 0.7.0
Published
Apr 22, 2026
Tracked Since
Apr 22, 2026