CVE-2026-35370
MEDIUMuutils coreutils id Incorrect Access-Control Decisions via Misrepresented Group Membership
Title source: cnaDescription
The id utility in uutils coreutils miscalculates the groups= section of its output. The implementation uses a user's real GID instead of their effective GID to compute the group list, leading to potentially divergent output compared to GNU coreutils. Because many scripts and automated processes rely on the output of id to make security-critical access-control or permission decisions, this discrepancy can lead to unauthorized access or security misconfigurations.
References (1)
Core 1
Core References
Issue Tracking issue-tracking
https://github.com/uutils/coreutils/issues/10006
Scores
CVSS v3
4.4
EPSS
0.0011
EPSS Percentile
1.4%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-863
Status
published
Products (3)
crates.io/coreutils
0crates.io
Uutils/coreutils
uutils/coreutils
Published
Apr 22, 2026
Tracked Since
Apr 22, 2026