GHSA-88ch-q68x-36v7

Source

https://github.com/advisories/GHSA-88ch-q68x-36v7

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-88ch-q68x-36v7/GHSA-88ch-q68x-36v7.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-88ch-q68x-36v7

Aliases

CVE-2026-35340

Published

2026-04-22T18:31:44Z

Modified

2026-05-05T16:04:26.662006Z

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

uutils coreutils has an Incorrect Check of Function Return Value

Details

A flaw in the ChownExecutor used by uutils coreutils chown and chgrp causes the utilities to return an incorrect exit code during recursive operations. The final exit code is determined only by the last file processed. If the last operation succeeds, the command returns 0 even if earlier ownership or group changes failed due to permission errors. This can lead to security misconfigurations where administrative scripts incorrectly assume that ownership has been successfully transferred across a directory tree.

Database specific

{
    "cwe_ids": [
        "CWE-253"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-29T22:49:39Z",
    "nvd_published_at": "2026-04-22T17:16:35Z",
    "severity": "MODERATE"
}

References

Affected packages

crates.io / coreutils

Package

Name: coreutils; View open source insights on deps.dev
Purl: pkg:cargo/coreutils

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.6.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-88ch-q68x-36v7/GHSA-88ch-q68x-36v7.json"