Description
A flaw in the ChownExecutor used by uutils coreutils chown and chgrp causes the utilities to return an incorrect exit code during recursive operations. The final exit code is determined only by the last file processed. If the last operation succeeds, the command returns 0 even if earlier ownership or group changes failed due to permission errors. This can lead to security misconfigurations where administrative scripts incorrectly assume that ownership has been successfully transferred across a directory tree.
Published: 2026-04-22
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Misleading Success Status
Action: Apply Patch
AI Analysis

Impact

A flaw in the ChownExecutor used by uutils coreutils chown and chgrp causes the utilities to return an incorrect exit code during recursive operations; the final exit code is determined only by the last file processed. If the last operation succeeds, the command returns 0 even when earlier ownership or group changes fail, leading to misinterpretation of success by scripts and administrators. This vulnerability corresponds to CWE-253, which involves incorrect initialization or state.

Affected Systems

The vulnerability affects the Uutils coreutils package, specifically the chown and chgrp utilities, present in all releases prior to versionĀ 0.6.0. Systems using older installs are susceptible until they apply the update containing the fix.

Risk and Exploitability

The CVSS score of 5.5 indicates medium severity. EPSS is not available, suggesting limited exploitation likelihood. The vulnerability is not listed in the CISA KEV catalog. The risk primarily stems from automated processes misinterpreting success, potentially proceeding with tasks under false assumptions, which could lead to incomplete permission changes, creating security gaps and possibly enabling privilege escalation or data exposure.

Generated by OpenCVE AI on April 27, 2026 at 08:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade uutils coreutils to versionĀ 0.6.0 or newer, which contains the corrected exit code logic.
  • Refactor scripts that depend on return codes to validate ownership changes explicitly after the command completes, for example by checking file attributes with stat or inspecting the ownership of the target files.
  • As an interim workaround for systems that cannot upgrade immediately, wrap the chown/chgrp commands in a custom script that iterates over each file in the tree and ensures success; abort if any file fails, thereby enforcing the correct status.

Generated by OpenCVE AI on April 27, 2026 at 08:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-88ch-q68x-36v7 uutils coreutils has an Incorrect Check of Function Return Value
History

Mon, 04 May 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:uutils:coreutils:*:*:*:*:*:rust:*:*

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Uutils
Uutils coreutils
Vendors & Products Uutils
Uutils coreutils

Wed, 22 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description A flaw in the ChownExecutor used by uutils coreutils chown and chgrp causes the utilities to return an incorrect exit code during recursive operations. The final exit code is determined only by the last file processed. If the last operation succeeds, the command returns 0 even if earlier ownership or group changes failed due to permission errors. This can lead to security misconfigurations where administrative scripts incorrectly assume that ownership has been successfully transferred across a directory tree.
Title uutils coreutils chown and chgrp False Success Exit Code in Recursive Mode
Weaknesses CWE-253
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Uutils Coreutils
cve-icon MITRE

Status: PUBLISHED

Assigner: canonical

Published:

Updated: 2026-04-22T18:14:26.690Z

Reserved: 2026-04-02T12:58:56.086Z

Link: CVE-2026-35340

cve-icon Vulnrichment

Updated: 2026-04-22T18:14:22.272Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T17:16:35.923

Modified: 2026-05-04T20:12:01.500

Link: CVE-2026-35340

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T19:54:48Z

Weaknesses