CVE Vulnerabilities

CVE-2026-35351

Improper Preservation of Permissions

Published: Apr 22, 2026 | Modified: Apr 27, 2026
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu
MEDIUM
root.io logo minimus.io logo echo.ai logo

The mv utility in uutils coreutils fails to preserve file ownership during moves across different filesystem boundaries. The utility falls back to a copy-and-delete routine that creates the destination file using the callers UID/GID rather than the sources metadata. This flaw breaks backups and migrations, causing files moved by a privileged user (e.g., root) to become root-owned unexpectedly, which can lead to information disclosure or restricted access for the intended owners.

Weakness

The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.

Affected Software

NameVendorStart VersionEnd Version
CoreutilsUutils- (including)- (including)
Rust-coreutilsUbuntudevel*
Rust-coreutilsUbuntuesm-apps/noble*
Rust-coreutilsUbuntunoble*
Rust-coreutilsUbuntuquesting*
Rust-coreutilsUbunturesolute*
Rust-coreutilsUbuntuupstream*

References