CVE-2026-35369 - Vulnerability Details

- uutils coreutils kill System-wide Process Termination and Denial of Service via Argument Misinterpretation

Description

An argument parsing error in the kill utility of uutils coreutils incorrectly interprets kill -1 as a request to send the default signal (SIGTERM) to PID -1. Sending a signal to PID -1 causes the kernel to terminate all processes visible to the caller, potentially leading to a system crash or massive process termination. This differs from GNU coreutils, which correctly recognizes -1 as a signal number in this context and would instead report a missing PID argument.

Published: 2026-04-22

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The kill utility in uutils coreutils contains an argument parsing flaw that interprets the string "-1" as a request to send the default signal, SIGTERM, to PID -1. Sending a signal to PID -1 causes all processes visible to the caller to receive the signal, which can abruptly terminate them and crash the system. This is a classic input validation error (CWE‑20) that directly leads to a local denial of service.

Affected Systems

The vulnerability affects the uutils coreutils package, specifically the kill command. No specific version range is listed in the CVE entry, but related information points to a pull request and the release tag 0.6.0, implying that releases prior to 0.6.0 are vulnerable. Administrators should verify which version of uutils coreutils is installed on their hosts.

Risk and Exploitability

With a CVSS score of 5.5, the flaw has moderate severity. EPSS information is missing, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is local: any user/process that can invoke "kill -1" with sufficient privileges can trigger the kernel to terminate all processes visible to the caller, resulting in a system crash or denial of service. Remote exploitation or code execution is not required for this vulnerability.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Uutils

coreutils

unaffected

Version	Status	Constraints
`0`	affected	< 0.6.0

Configuration 1 [-]

cpe:2.3:a:uutils:coreutils:*:*:*:*:*:rust:*:*

No data.

Vendor Product Confidence Versions

Uutils

Coreutils

100%

Version	Status	Scheme	Platform
`[0,0.6.0)`	affected	generic	['linux', 'unix', 'macos']

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade uutils coreutils to version 0.6.0 or later, which corrects the argument parsing of the kill command.
Avoid using the kill command with the argument "-1"; if a system must use this syntax, employ explicit signal names to trigger the error handling in the implementation.
Restrict execution permissions for the uutils kill binary or remove it from untrusted user environments, and consider using GNU coreutils on critical systems, which correctly handles the edge case.

Generated by OpenCVE AI on April 27, 2026 at 08:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-gpcg-h6x2-c26p	uutils coreutils has an Improper Input Validation issue

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00023.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/uutils/coreutils/pull/9700
https://github.com/uutils/coreutils/releases/tag/0.6.0

History

Mon, 04 May 2026 19:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:uutils:coreutils::::::rust::*

Mon, 27 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Uutils Uutils coreutils
Vendors & Products		Uutils Uutils coreutils

Wed, 22 Apr 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 22 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		An argument parsing error in the kill utility of uutils coreutils incorrectly interprets kill -1 as a request to send the default signal (SIGTERM) to PID -1. Sending a signal to PID -1 causes the kernel to terminate all processes visible to the caller, potentially leading to a system crash or massive process termination. This differs from GNU coreutils, which correctly recognizes -1 as a signal number in this context and would instead report a missing PID argument.
Title		uutils coreutils kill System-wide Process Termination and Denial of Service via Argument Misinterpretation
Weaknesses		CWE-20
References		https://github.com/uutils/coreutils/pull/9700 https://github.com/uutils/coreutils/releases/tag/0.6.0
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Uutils Coreutils

MITRE

Status: PUBLISHED

Assigner: canonical

Published: 2026-04-22T16:08:51.268Z

Updated: 2026-04-22T17:48:32.873Z

Reserved: 2026-04-02T12:58:56.088Z

Link: CVE-2026-35369

Vulnrichment

Updated: 2026-04-22T17:48:30.050Z

NVD

Status : Analyzed

Published: 2026-04-22T17:16:40.687

Modified: 2026-05-04T18:50:23.537

Link: CVE-2026-35369

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-27T19:53:36Z

Weaknesses

CWE-20

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object