CVE-2026-35372

MEDIUM

uutils coreutils ln Security Bypass via Improper Handling of the --no-dereference Flag

Title source: cna

Description

A logic error in the ln utility of uutils coreutils allows the utility to dereference a symbolic link target even when the --no-dereference (or -n) flag is explicitly provided. The implementation previously only honored the "no-dereference" intent if the --force (overwrite) mode was also enabled. This flaw causes ln to follow a symbolic link that points to a directory and create new links inside that target directory instead of treating the symbolic link itself as the destination. In environments where a privileged user or system script uses ln -n to update a symlink, a local attacker could manipulate existing symbolic links to redirect file creation into sensitive directories, potentially leading to unauthorized file creation or system misconfiguration.

References (2)

Core 2

Core References

Patch issue-tracking patch

https://github.com/uutils/coreutils/pull/11253

Vendor Advisory vendor-advisory

https://github.com/uutils/coreutils/releases/tag/0.8.0

Scores

CVSS v3 5.0

EPSS 0.0014

EPSS Percentile 3.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-61

Status published

Products (3)

crates.io/coreutils 0 - 0.8.0crates.io

Uutils/coreutils < 0.8.0

uutils/coreutils < 0.8.0

Published Apr 22, 2026

Tracked Since Apr 22, 2026