CVE-2026-35358 - Vulnerability Details

- uutils coreutils cp Semantic Loss and Potential Denial of Service with -R via Device Node Stream Reading

Description

The cp utility in uutils coreutils, when performing recursive copies (-R), incorrectly treats character and block device nodes as stream sources rather than preserving them. Because the implementation reads bytes into regular files at the destination instead of using mknod, device semantics are destroyed (e.g., /dev/null becomes a regular file). This behavior can lead to runtime denial of service through disk exhaustion or process hangs when reading from unbounded device nodes.

Published: 2026-04-22

Score: 4.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The cp utility in uutils coreutils incorrectly treats character and block device nodes as stream sources during recursive copies, overwriting them with regular files and destroying device semantics; this flaw can cause disk exhaustion or process stalls, leading to a runtime denial of Service (CWE‑706).

Affected Systems

The vulnerability affects the uutils coreutils package, with versions prior to the 0.7.0 release likely impacted; the fix was introduced in the 0.7.0 release noted in the reference links.

Risk and Exploitability

The CVSS score of 4.4 indicates moderate severity and the EPSS score of 0.00012, indicating a very low likelihood of exploitation; the vulnerability is not listed in CISA KEV. Attackers could exploit this by running cp -R on directories that include device nodes, which may be feasible for any user with file creation privileges. Given the lack of remote execution vectors, mitigation focuses on version updates or careful use of the tool to avoid copying device nodes.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Uutils

coreutils

unaffected

Version	Status	Constraints
`0`	affected	< 0.7.0

Configuration 1 [-]

cpe:2.3:a:uutils:coreutils:*:*:*:*:*:rust:*:*

No data.

Vendor Product Confidence Versions

Uutils

Coreutils

100%

Version	Status	Scheme	Platform
`[0,0.7.0)`	affected	semver	['linux', 'unix', 'macos']

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade uutils coreutils to version 0.7.0 or later to receive the upstream fix.
If an upgrade is unavailable, avoid using cp -R on directories that contain character or block device nodes, or manually remove device nodes before copying.
Monitor disk usage for unexpected growth when using recursive copy operations, and consider script‑based safeguards to prevent accidental copying of device files.

Generated by OpenCVE AI on April 28, 2026 at 15:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-67hp-f6hq-2h6g	uutils coreutils Uses Incorrectly-Resolved Name or Reference

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00012.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/uutils/coreutils/issues/9746
https://github.com/uutils/coreutils/pull/11163
https://github.com/uutils/coreutils/releases/tag/0.7.0

History

Mon, 04 May 2026 19:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:uutils:coreutils::::::rust::*

Mon, 27 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Uutils Uutils coreutils
Vendors & Products		Uutils Uutils coreutils

Wed, 22 Apr 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 22 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		The cp utility in uutils coreutils, when performing recursive copies (-R), incorrectly treats character and block device nodes as stream sources rather than preserving them. Because the implementation reads bytes into regular files at the destination instead of using mknod, device semantics are destroyed (e.g., /dev/null becomes a regular file). This behavior can lead to runtime denial of service through disk exhaustion or process hangs when reading from unbounded device nodes.
Title		uutils coreutils cp Semantic Loss and Potential Denial of Service with -R via Device Node Stream Reading
Weaknesses		CWE-706
References		https://github.com/uutils/coreutils/issues/9746 https://github.com/uutils/coreutils/pull/11163 https://github.com/uutils/coreutils/releases/tag/0.7.0
Metrics		cvssV3_1 `{'score': 4.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}`

Subscriptions

Uutils Coreutils

MITRE

Status: PUBLISHED

Assigner: canonical

Published: 2026-04-22T16:08:22.967Z

Updated: 2026-04-22T17:56:03.840Z

Reserved: 2026-04-02T12:58:56.087Z

Link: CVE-2026-35358

Vulnrichment

Updated: 2026-04-22T17:52:59.367Z

NVD

Status : Analyzed

Published: 2026-04-22T17:16:38.393

Modified: 2026-05-04T19:03:00.590

Link: CVE-2026-35358

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T15:30:34Z

Weaknesses

CWE-706

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object