GHSA-mh5c-xrmh-m794

Source

https://github.com/advisories/GHSA-mh5c-xrmh-m794

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-mh5c-xrmh-m794/GHSA-mh5c-xrmh-m794.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-mh5c-xrmh-m794

Aliases

CVE-2026-35368

Related

CGA-rmcm-9559-qxmc

Published

2026-04-22T18:31:45Z

Modified

2026-06-02T18:29:17.065253205Z

Severity

7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

uutils coreutils has an Untrusted Search Path

Details

A vulnerability exists in the chroot utility of uutils coreutils when using the --userspec option. The utility resolves the user specification via getpwnam() after entering the chroot but before dropping root privileges. On glibc-based systems, this can trigger the Name Service Switch (NSS) to load shared libraries (e.g., libnss_*.so.2) from the new root directory. If the NEWROOT is writable by an attacker, they can inject a malicious NSS module to execute arbitrary code as root, facilitating a full container escape or privilege escalation.

Database specific

{
    "cwe_ids": [
        "CWE-426"
    ],
    "github_reviewed": true,
    "nvd_published_at": "2026-04-22T17:16:40Z",
    "github_reviewed_at": "2026-04-30T17:50:13Z",
    "severity": "HIGH"
}

References

Affected packages

crates.io / coreutils

Package

Name: coreutils; View open source insights on deps.dev
Purl: pkg:cargo/coreutils

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

0.8.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-mh5c-xrmh-m794/GHSA-mh5c-xrmh-m794.json"