GHSA-vp6q-mv9j-j428

Source

https://github.com/advisories/GHSA-vp6q-mv9j-j428

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-vp6q-mv9j-j428/GHSA-vp6q-mv9j-j428.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-vp6q-mv9j-j428

Aliases

CVE-2026-35339

Published

2026-04-22T18:31:44Z

Modified

2026-05-05T16:11:51.179109Z

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

uutils coreutils incorrectly handles exit codes when processing multiple files

Details

The recursive mode (-R) of the chmod utility in uutils coreutils incorrectly handles exit codes when processing multiple files. The final return value is determined solely by the success or failure of the last file processed. This allows the command to return an exit code of 0 (success) even if errors were encountered on previous files, such as 'Operation not permitted'. Scripts relying on these exit codes may proceed under a false sense of success while sensitive files remain with restrictive or incorrect permissions.

Database specific

{
    "cwe_ids": [
        "CWE-253"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-29T22:50:01Z",
    "nvd_published_at": "2026-04-22T17:16:35Z",
    "severity": "MODERATE"
}

References

Affected packages

crates.io / coreutils

Package

Name: coreutils; View open source insights on deps.dev
Purl: pkg:cargo/coreutils

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.6.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-vp6q-mv9j-j428/GHSA-vp6q-mv9j-j428.json"