A vulnerable implementation of the chroot utility in uutils coreutils permits malicious code execution when an attacker‑friendly directory is used as the new root. By leveraging the --userspec option, the program resolves user names via getpwnam() after changing into the chroot but before dropping the root privilege. On glibc‑based systems the Name Service Switch (NSS) will load shared libraries from the new root, allowing an attacker to supply a forged libnss_*.so.2 that is executed as root. This flaw directly enables local privilege escalation and a potential full container escape.

Uutils coreutils on glibc‑based systems is affected when a user can supply a writable NEWROOT directory and invoke chroot with the --userspec option. No specific version range is disclosed, so all releases that have not yet applied the NSS module loading fix are potentially vulnerable.

The CVSS score is 7.2 and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. The attack requires an attacker to control a writable location that can be used as the new root directory and to invoke chroot with the --userspec option. Once those conditions are met, the vulnerable code will load the attacker‑supplied NSS module before dropping privileges. Successful exploitation would give the attacker arbitrary code execution as root, enabling complete container escape or privilege escalation. The lack of an exploit score and KEV listing suggests that the vulnerability is not yet widely exploited but the potential impact is significant.