CVE-2026-35365 - Vulnerability Details

- uutils coreutils mv Denial of Service and Data Duplication via Improper Symlink Expansion

Description

The mv utility in uutils coreutils improperly handles directory trees containing symbolic links during moves across filesystem boundaries. Instead of preserving symlinks, the implementation expands them, copying the linked targets as real files or directories at the destination. This can lead to resource exhaustion (disk space or time) if symlinks point to large external directories, unexpected duplication of sensitive data into unintended locations, or infinite recursion and repeated copying in the presence of symlink loops.

Published: 2026-04-22

Score: 6.6 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The mv utility in uutils coreutils incorrectly expands symbolic links when moving directories across filesystem boundaries, instead of preserving them. This behavior can cause disk space exhaustion or overly long execution when symlinks point to large external directories, duplicate sensitive data into unintended locations, or trigger infinite recursion due to symlink loops. The vulnerability is classified as CWE‑59 and results in denial of service and potential data leakage. The likely attack vector is that an attacker controls a source directory containing such symlinks and uses mv to move it, either manually or via a malicious script.

Affected Systems

The affected product is Uutils coreutils; specific version information is not provided. Any installation of this utility that exhibits the described behavior may be vulnerable.

Risk and Exploitability

The CVSS score of 6.6 indicates a moderate severity. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting no publicly known large‑scale exploitation yet. Nonetheless, a local user with the ability to arrange a symlink‑heavy directory tree can exploit the flaw to exhaust disk resources or create redundant copies of data. The impact is confined to the host where mv is executed, but can cause significant resource depletion and inadvertent data exposure.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Uutils

coreutils

unaffected

Version	Status	Constraints
`0`	affected	< 0.7.0

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update to the latest uutils coreutils release that addresses the symlink expansion issue.
Avoid moving directory trees that contain symbolic links, especially when the links may point to large or sensitive external directories.
If upgrading is not feasible, restrict mv usage to directories verified to lack symlink loops or large external targets, or use a tool that preserves symlinks without expanding them.

Generated by OpenCVE AI on April 22, 2026 at 18:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/uutils/coreutils/pull/10546
https://github.com/uutils/coreutils/releases/tag/0.7.0

History

Wed, 22 Apr 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 22 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		The mv utility in uutils coreutils improperly handles directory trees containing symbolic links during moves across filesystem boundaries. Instead of preserving symlinks, the implementation expands them, copying the linked targets as real files or directories at the destination. This can lead to resource exhaustion (disk space or time) if symlinks point to large external directories, unexpected duplication of sensitive data into unintended locations, or infinite recursion and repeated copying in the presence of symlink loops.
Title		uutils coreutils mv Denial of Service and Data Duplication via Improper Symlink Expansion
Weaknesses		CWE-59
References		https://github.com/uutils/coreutils/pull/10546 https://github.com/uutils/coreutils/releases/tag/0.7.0
Metrics		cvssV3_1 `{'score': 6.6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: canonical

Published: 2026-04-22T16:08:41.136Z

Updated: 2026-04-22T17:59:34.571Z

Reserved: 2026-04-02T12:58:56.088Z

Link: CVE-2026-35365

Vulnrichment

Updated: 2026-04-22T17:59:31.005Z

NVD

Status : Awaiting Analysis

Published: 2026-04-22T17:16:39.900

Modified: 2026-04-22T21:23:52.620

Link: CVE-2026-35365

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T18:15:15Z

Weaknesses

CWE-59

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact Low

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object