CVE-2026-35361

The mknod utility in uutils coreutils fails to handle security labels atomically by creating device nodes before setting the SELinux context. If labeling fails, the utility attempts cleanup using std::fs::remove_dir, which cannot remove device nodes or FIFOs. This leaves mislabeled nodes behind with incorrect default contexts, potentially allowing unauthorized access to device nodes that should have been restricted by mandatory access controls.

CVSS v3 3.4 LOW

3.4^/10

CVSS v3 : LOW

Vector :

Exploitability : 0.8 / Impact : 2.5

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/uutils/coreutils/pull/10582	Exploit Issue Tracking Patch
https://github.com/uutils/coreutils/releases/tag/0.6.0	Release Notes
https://github.com/uutils/coreutils/pull/10582	Exploit Issue Tracking Patch

Configurations

Configuration 1 (hide)

cpe:2.3:a:uutils:coreutils:*:*:*:*:*:rust:*:*

History

27 Apr 2026, 12:27

Type	Values Removed	Values Added
CPE		cpe:2.3:a:uutils:coreutils::::::rust::*
First Time		Uutils Uutils coreutils
References	~~() https://github.com/uutils/coreutils/pull/10582 -~~	() https://github.com/uutils/coreutils/pull/10582 - Exploit, Issue Tracking, Patch
References	~~() https://github.com/uutils/coreutils/releases/tag/0.6.0 -~~	() https://github.com/uutils/coreutils/releases/tag/0.6.0 - Release Notes

22 Apr 2026, 18:16

Type	Values Removed	Values Added
References	~~() https://github.com/uutils/coreutils/pull/10582 -~~	() https://github.com/uutils/coreutils/pull/10582 -

22 Apr 2026, 17:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-22 17:16

Updated : 2026-04-27 12:27

NVD link : CVE-2026-35361

Mitre link : CVE-2026-35361

CVE.ORG link : CVE-2026-35361

JSON object : View

Products Affected

uutils

coreutils

CWE

CWE-281

Improper Preservation of Permissions

CWE-459

Incomplete Cleanup

{"id": "CVE-2026-35361", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@ubuntu.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.4, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 0.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 1.8}]}, "published": "2026-04-22T17:16:38.827", "references": [{"url": "https://github.com/uutils/coreutils/pull/10582", "tags": ["Exploit", "Issue Tracking", "Patch"], "source": "security@ubuntu.com"}, {"url": "https://github.com/uutils/coreutils/releases/tag/0.6.0", "tags": ["Release Notes"], "source": "security@ubuntu.com"}, {"url": "https://github.com/uutils/coreutils/pull/10582", "tags": ["Exploit", "Issue Tracking", "Patch"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@ubuntu.com", "description": [{"lang": "en", "value": "CWE-281"}, {"lang": "en", "value": "CWE-459"}]}], "descriptions": [{"lang": "en", "value": "The mknod utility in uutils coreutils fails to handle security labels atomically by creating device nodes before setting the SELinux context. If labeling fails, the utility attempts cleanup using std::fs::remove_dir, which cannot remove device nodes or FIFOs. This leaves mislabeled nodes behind with incorrect default contexts, potentially allowing unauthorized access to device nodes that should have been restricted by mandatory access controls."}], "lastModified": "2026-04-27T12:27:20.527", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:uutils:coreutils:*:*:*:*:*:rust:*:*", "vulnerable": true, "matchCriteriaId": "87C33018-2E08-45B0-B69C-7FC224F7F883", "versionEndExcluding": "0.6.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@ubuntu.com"}