Fluid Attacks Database

Description

A vulnerability in the chmod utility of uutils coreutils allows users to bypass the --preserve-root safety mechanism. The implementation only validates if the target path is literally / and does not canonicalize the path. An attacker or accidental user can use path variants such as /../ or symbolic links to execute destructive recursive operations (e.g., chmod -R 000) on the entire root filesystem, leading to system-wide permission loss and potential complete system breakdown.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	rust-coreutils	=0.0.30-2 \|\| =0.0.30-3 \|\| =0.0.30-3~exp1 \|\| =0.0.30-4 \|\| =0.6.0-1 \|\| =0.7.0-1	-
debian 12	rust-coreutils	=0.0.17-2 \|\| =0.0.17-3 \|\| =0.0.17-4 \|\| =0.0.17-5 \|\| =0.0.17-6 \|\| =0.0.19-1 \|\| =0.0.19-2 \|\| =0.0.19-3 \|\| =0.0.20-1 \|\| =0.0.21-1 \|\| =0.0.22-1 \|\| =0.0.23-1 \|\| =0.0.23-2 \|\| =0.0.23-3 \|\| =0.0.24-1 \|\| =0.0.24-2 \|\| =0.0.26-1 \|\| =0.0.26-2 \|\| =0.0.26-3 \|\| =0.0.26-4 \|\| =0.0.26-5 \|\| =0.0.27-1 \|\| =0.0.27-2 \|\| =0.0.27-3 \|\| =0.0.30-1 \|\| =0.0.30-2 \|\| =0.0.30-3 \|\| =0.0.30-3~exp1 \|\| =0.0.30-4 \|\| =0.6.0-1 \|\| =0.7.0-1	-
cargo	coreutils	>=0 <0.6.0	0.6.0

Aliases

1. CVE-2026-353382. NVD-2026-353383. OSV-DEBIAN-2026-353384. OSV-2026-353385. GCVE-2026-353386. SECURITY-TRACKER-CVE-2026-35338

References

1. https://github.com/uutils/coreutils/pull/100332. https://github.com/uutils/coreutils/commit/413055b378fa6fe2299c5e5f538c8e6e841ab8103. https://github.com/uutils/coreutils/releases/tag/0.6.0

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.