CVE Vulnerabilities

CVE-2026-35371

User Interface (UI) Misrepresentation of Critical Information

Published: Apr 22, 2026 | Modified: May 04, 2026
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu
MEDIUM
root.io logo minimus.io logo echo.ai logo

The id utility in uutils coreutils exhibits incorrect behavior in its pretty print output when the real UID and effective UID differ. The implementation incorrectly uses the effective GID instead of the effective UID when performing a name lookup for the effective user. This results in misleading diagnostic output that can cause automated scripts or system administrators to make incorrect decisions regarding file permissions or access control.

Weakness

The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks.

Affected Software

NameVendorStart VersionEnd Version
CoreutilsUutils- (including)- (including)
Rust-coreutilsUbuntudevel*
Rust-coreutilsUbuntuesm-apps/noble*
Rust-coreutilsUbuntunoble*
Rust-coreutilsUbuntuquesting*
Rust-coreutilsUbunturesolute*
Rust-coreutilsUbuntuupstream*

Extended Description

If an attacker can cause the UI to display erroneous data, or to otherwise convince the user to display information that appears to come from a trusted source, then the attacker could trick the user into performing the wrong action. This is often a component in phishing attacks, but other kinds of problems exist. For example, if the UI is used to monitor the security state of a system or network, then omitting or obscuring an important indicator could prevent the user from detecting and reacting to a security-critical event. UI misrepresentation can take many forms:

Potential Mitigations

References