GHSA-x2wv-9p67-mh9w

Source

https://github.com/advisories/GHSA-x2wv-9p67-mh9w

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-x2wv-9p67-mh9w/GHSA-x2wv-9p67-mh9w.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-x2wv-9p67-mh9w

Aliases

CVE-2026-35350

Related

CGA-mxpx-v73r-q82f

Published

2026-04-22T18:31:45Z

Modified

2026-06-02T02:14:16.678235386Z

Severity

6.6 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L CVSS Calculator

Summary

uutils coreutils doesn't properly handle setuid and setgid bits when ownership preservation fails

Details

The cp utility in uutils coreutils fails to properly handle setuid and setgid bits when ownership preservation fails. When copying with the -p (preserve) flag, the utility applies the source mode bits even if the chown operation is unsuccessful. This can result in a user-owned copy retaining original privileged bits, creating unexpected privileged executables that violate local security policies. This differs from GNU cp, which clears these bits when ownership cannot be preserved.

Database specific

{
    "cwe_ids": [
        "CWE-281"
    ],
    "github_reviewed": true,
    "nvd_published_at": "2026-04-22T17:16:37Z",
    "github_reviewed_at": "2026-04-29T23:18:25Z",
    "severity": "MODERATE"
}

References

Affected packages

crates.io / coreutils

Package

Name: coreutils; View open source insights on deps.dev
Purl: pkg:cargo/coreutils

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

0.8.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-x2wv-9p67-mh9w/GHSA-x2wv-9p67-mh9w.json"