A logic error in the ln utility of uutils coreutils allows symbolic links to be dereferenced even when the --no-dereference (-n) flag is specified, unless the --force option is also used. The flaw, classified as CWE‑61, lets the command follow a symlink that points to a directory and create new links inside that target directory instead of treating the symlink itself as the destination. As a result, a local attacker or a privileged system script that uses ln -n to modify a symlink can redirect file creation into sensitive directories, leading to unauthorized file creation or inadvertent system misconfiguration.

The affected entity is the uutils coreutils package, commonly used as a Rust‑based drop‑in replacement for GNU coreutils. All releases prior to version 0.8.0 are susceptible, as the bug was fixed in the 0.8.0 release. Users running earlier versions of the package should consider how the ln command is invoked in their environment, especially in privileged scripts that rely on the --no-dereference flag.

The CVSS score of 5.0 denotes a moderate risk. No EPSS score is available, and the vulnerability is not currently listed in the CISA KEV catalog. The attack vector is local, requiring an attacker to execute ln -n as the same user that owns the symlink or as a privileged user running a system script. Because the bug only triggers when the link target points to a directory, the attacker must be able to influence or create such a symlink. Exploitation can occur without remote code execution, but it enables unauthorized file placement and potential configuration drift, which could be leveraged in a broader attack chain.