CVE-2026-35365
MEDIUMuutils coreutils mv Denial of Service and Data Duplication via Improper Symlink Expansion
Title source: cnaDescription
The mv utility in uutils coreutils improperly handles directory trees containing symbolic links during moves across filesystem boundaries. Instead of preserving symlinks, the implementation expands them, copying the linked targets as real files or directories at the destination. This can lead to resource exhaustion (disk space or time) if symlinks point to large external directories, unexpected duplication of sensitive data into unintended locations, or infinite recursion and repeated copying in the presence of symlink loops.
References (2)
Core 2
Core References
Patch issue-tracking
patch
https://github.com/uutils/coreutils/pull/10546
Vendor Advisory vendor-advisory
https://github.com/uutils/coreutils/releases/tag/0.7.0
Scores
CVSS v3
6.6
EPSS
0.0016
EPSS Percentile
5.6%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-59
Status
published
Products (3)
crates.io/coreutils
0 - 0.7.0crates.io
Uutils/coreutils
< 0.7.0
uutils/coreutils
< 0.7.0
Published
Apr 22, 2026
Tracked Since
Apr 22, 2026