Description
The mv utility in uutils coreutils fails to preserve file ownership during moves across different filesystem boundaries. The utility falls back to a copy-and-delete routine that creates the destination file using the caller's UID/GID rather than the source's metadata. This flaw breaks backups and migrations, causing files moved by a privileged user (e.g., root) to become root-owned unexpectedly, which can lead to information disclosure or restricted access for the intended owners.
Published: 2026-04-22
Score: 4.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Loss of File Ownership Integrity During Cross-Device Moves
Action: Assess Impact
AI Analysis

Impact

The mv utility in Uutils coreutils does not preserve file ownership when moving files across filesystem boundaries. Instead of maintaining the source file’s UID/GID, the copy‑and‑delete fallback creates the destination file under the caller’s credentials. This violates the desired security property of ownership consistency, which can expose data to unintended users or deny legitimate owners access to their files. The flaw is classified as CWE-281, an improper handling of discretionary access control.

Affected Systems

The vulnerability affects the Uutils coreutils package. No specific version numbers are listed; any installation of the mv command within this distribution is potentially vulnerable.

Risk and Exploitability

The CVSS score of 4.2 indicates a moderate severity. Because the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, the known likelihood of exploitation is unclear, but cross‑filesystem operations are common during backups and migrations, increasing the risk surface for users who run mv with elevated privileges or under workarounds. An attacker or automated backup process could change the perceived ownership of critical files, potentially turning data unreachable or exposing it to privileged users. The attack vector is local to the host, requiring the ability to execute mv commands and thereby only mitigated by restricting privileged users or applying the official fix.

Generated by OpenCVE AI on April 22, 2026 at 18:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Uutils coreutils to a release that restores ownership preservation for cross‑filesystem moves.
  • If an update is not feasible, avoid using the mv command for cross‑filesystem operations; instead, use tools such as rsync with the --links and -a options or cp --preserve=ownership followed by a manual chown to restore metadata.
  • After performing a cross‑filesystem move with the vulnerable mv utility, verify the ownership of the destination files and restore the correct UID/GID using chown whenever necessary.

Generated by OpenCVE AI on April 22, 2026 at 18:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description The mv utility in uutils coreutils fails to preserve file ownership during moves across different filesystem boundaries. The utility falls back to a copy-and-delete routine that creates the destination file using the caller's UID/GID rather than the source's metadata. This flaw breaks backups and migrations, causing files moved by a privileged user (e.g., root) to become root-owned unexpectedly, which can lead to information disclosure or restricted access for the intended owners.
Title uutils coreutils mv Silent Ownership Loss in Cross-Device Operations
Weaknesses CWE-281
References
Metrics cvssV3_1

{'score': 4.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: canonical

Published:

Updated: 2026-04-22T18:05:16.431Z

Reserved: 2026-04-02T12:58:56.087Z

Link: CVE-2026-35351

cve-icon Vulnrichment

Updated: 2026-04-22T18:04:16.287Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-22T17:16:37.457

Modified: 2026-04-22T21:23:52.620

Link: CVE-2026-35351

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T18:15:15Z

Weaknesses