The id utility in uutils coreutils calculates the groups= field by using a user's real GID instead of the effective GID that represents the privileges actually granted to the process. This miscalculation leads to an inaccurate group list in the utility's output. Because many security-sensitive scripts and automated tools parse the id output to enforce access-control policies, the discrepancy can cause misconfigurations that allow a user to gain privileges they have not been approved for, or to bypass intended restrictions. The flaw is an instance of an Authority Problem (CWE-863), primarily impacting the integrity and confidentiality of protected resources.

Affected vertices are all installations that include the uutils coreutils package. The vulnerability is present in any version where the id command has not been updated to compute the group list using the effective GID. No specific patch version is listed in the advisory, so all current releases before a fix are potentially vulnerable.

The CVSS score of 4.4 indicates a moderate assessment of impact, and no EPSS score is available. The vulnerability is not currently listed in CISA KEV. Exploitation would likely involve scripts or processes that rely on the canonical form of the id output for group membership checks. An attacker would need to influence or bypass a script that trusts the id output; the exploit is local to the environment where such scripts run, but could be used in a broader compromise chain if other services depend on the wrong group list. The solution from the CNA would be to update the package; until then, mitigations depend on changing the logic of scripts or using the GNU coreutils id that correctly reports effective GIDs.