GHSA-8vrf-r662-2w2v

Suggest an improvement
Source
https://github.com/advisories/GHSA-8vrf-r662-2w2v
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/07/GHSA-8vrf-r662-2w2v/GHSA-8vrf-r662-2w2v.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-8vrf-r662-2w2v
Aliases
Published
2026-07-06T20:21:18Z
Modified
2026-07-06T20:31:25.822149261Z
Severity
  • 4.4 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L CVSS Calculator
Summary
cp: -R reads device nodes as streams, destroying device semantics
Details

The cp utility in uutils coreutils, when performing recursive copies (-R), incorrectly treats character and block device nodes as stream sources rather than preserving them. Because the implementation reads bytes into regular files at the destination instead of using mknod, device semantics are destroyed (e.g., /dev/null becomes a regular file). This behavior can lead to runtime denial of service through disk exhaustion or process hangs when reading from unbounded device nodes.


Zellic finding 3.53. Reported in the Zellic uutils coreutils Program Security Assessment (for Canonical, Jan 2026), audited commit 3a07ffc5a9bd4c283e75afa548ba1f1957bad242.

Database specific
{
    "github_reviewed_at": "2026-07-06T20:21:18Z",
    "cwe_ids": [
        "CWE-400",
        "CWE-706"
    ],
    "severity": "MODERATE",
    "nvd_published_at": null,
    "github_reviewed": true
}
References

Affected packages

crates.io / uu_cp

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.7.0

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/07/GHSA-8vrf-r662-2w2v/GHSA-8vrf-r662-2w2v.json"