CVE-2026-35367 - Vulnerability Details

- uutils coreutils nohup Information Disclosure via Insecure Default Output Permissions

Description

The nohup utility in uutils coreutils creates its default output file, nohup.out, without specifying explicit restricted permissions. This causes the file to inherit umask-based permissions, typically resulting in a world-readable file (0644). In multi-user environments, this allows any user on the system to read the captured stdout/stderr output of a command, potentially exposing sensitive information. This behavior diverges from GNU coreutils, which creates nohup.out with owner-only (0600) permissions.

Published: 2026-04-22

Score: 3.3 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The nohup utility in uutils coreutils creates its default output file, nohup.out, without specifying explicit restricted permissions. This causes the file to inherit umask-based permissions, typically 0644. As a result any user on a multi‑user system can read the stdout/stderr captured by nohup, potentially exposing sensitive data. This divergence from the behavior of GNU coreutils, which restricts nohup.out to 0600, represents an information disclosure flaw classified as CWE‑732.

Affected Systems

The flaw affects the uutils coreutils package, specifically the nohup component. No particular versions were listed, so any installation of this package that relies on the default nohup behavior is vulnerable. The impact is relevant in any environment where multiple users share a system and use nohup to run commands that produce output.

Risk and Exploitability

The CVSS score of 3.3 indicates a low severity vulnerability, and the EPSS score is not available, suggesting limited evidence of attack activity. The vulnerability is not listed in CISA KEV, further supporting a low exploitation likelihood. The attack vector is local; any user with the ability to run a command under nohup could read the generated nohup.out file and recover whatever data was written to stdout or stderr.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor	Product	Default status	Versions
Uutils	coreutils	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the uutils coreutils package to a version that sets explicit 0600 permissions on nohup.out.
If an update is not possible, redirect nohup output to a file created with restrictive permissions or to /dev/null, e.g., `nohup command > myoutput.log 2>&1 &` and then change the permissions of `myoutput.log` immediately.
Use the GNU coreutils implementation of nohup, which creates the output file with owner‑only permissions, or wrap the `nohup` call in a script that sets `umask 077` before execution.

Generated by OpenCVE AI on April 22, 2026 at 18:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00009.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/uutils/coreutils/issues/10021

History

Wed, 22 Apr 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 22 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		The nohup utility in uutils coreutils creates its default output file, nohup.out, without specifying explicit restricted permissions. This causes the file to inherit umask-based permissions, typically resulting in a world-readable file (0644). In multi-user environments, this allows any user on the system to read the captured stdout/stderr output of a command, potentially exposing sensitive information. This behavior diverges from GNU coreutils, which creates nohup.out with owner-only (0600) permissions.
Title		uutils coreutils nohup Information Disclosure via Insecure Default Output Permissions
Weaknesses		CWE-732
References		https://github.com/uutils/coreutils/issues/10021
Metrics		cvssV3_1 `{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: canonical

Published: 2026-04-22T16:08:46.541Z

Updated: 2026-04-22T17:49:29.072Z

Reserved: 2026-04-02T12:58:56.088Z

Link: CVE-2026-35367

Vulnrichment

Updated: 2026-04-22T17:49:19.375Z

NVD

Status : Awaiting Analysis

Published: 2026-04-22T17:16:40.423

Modified: 2026-04-22T21:23:52.620

Link: CVE-2026-35367

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T18:15:15Z

Weaknesses

CWE-732

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object