Description
The cp utility in uutils coreutils, when performing recursive copies (-R), incorrectly treats character and block device nodes as stream sources rather than preserving them. Because the implementation reads bytes into regular files at the destination instead of using mknod, device semantics are destroyed (e.g., /dev/null becomes a regular file). This behavior can lead to runtime denial of service through disk exhaustion or process hangs when reading from unbounded device nodes.
Published: 2026-04-22
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

The cp utility in uutils coreutils incorrectly treats character and block device nodes as stream sources during recursive copies, overwriting them with regular files and destroying device semantics; this flaw can cause disk exhaustion or process stalls, leading to a runtime denial of Service.

Affected Systems

The vulnerability affects the uutils coreutils package, with versions prior to the 0.7.0 release likely impacted; the fix was introduced in the 0.7.0 release noted in the reference links.

Risk and Exploitability

The CVSS score of 4.4 indicates moderate severity and the EPSS score is not available; the vulnerability is not listed in CISA KEV. Attackers could exploit this by running cp -R on directories that include device nodes, which may be feasible for any user with file creation privileges. Given the lack of remote execution vectors, mitigation focuses on version updates or careful use of the tool to avoid copying device nodes.

Generated by OpenCVE AI on April 22, 2026 at 18:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade uutils coreutils to version 0.7.0 or later to receive the upstream fix.
  • If an upgrade is unavailable, avoid using cp -R on directories that contain character or block device nodes, or manually remove device nodes before copying.
  • Monitor disk usage for unexpected growth when using recursive copy operations, and consider script‑based safeguards to prevent accidental copying of device files.

Generated by OpenCVE AI on April 22, 2026 at 18:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description The cp utility in uutils coreutils, when performing recursive copies (-R), incorrectly treats character and block device nodes as stream sources rather than preserving them. Because the implementation reads bytes into regular files at the destination instead of using mknod, device semantics are destroyed (e.g., /dev/null becomes a regular file). This behavior can lead to runtime denial of service through disk exhaustion or process hangs when reading from unbounded device nodes.
Title uutils coreutils cp Semantic Loss and Potential Denial of Service with -R via Device Node Stream Reading
Weaknesses CWE-706
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: canonical

Published:

Updated: 2026-04-22T17:56:03.840Z

Reserved: 2026-04-02T12:58:56.087Z

Link: CVE-2026-35358

cve-icon Vulnrichment

Updated: 2026-04-22T17:52:59.367Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-22T17:16:38.393

Modified: 2026-04-22T21:23:52.620

Link: CVE-2026-35358

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T18:15:15Z

Weaknesses