NVD Description

Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

A logic error in the ln utility of uutils coreutils causes the program to reject source paths containing non-UTF-8 filename bytes when using target-directory forms (e.g., ln SOURCE... DIRECTORY). While GNU ln treats filenames as raw bytes and creates the links correctly, the uutils implementation enforces UTF-8 encoding, resulting in a failure to stat the file and a non-zero exit code. In environments where automated scripts or system tasks process valid but non-UTF-8 filenames common on Unix filesystems, this divergence causes the utility to fail, leading to a local denial of service for those specific operations.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-35373
• https://github.com/uutils/coreutils/pull/11403

NVD Description

Note: Versions mentioned in the description apply only to the upstream tar package and not the tar package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

A flaw was found in tar. A remote attacker could exploit this vulnerability by crafting a malicious archive, leading to hidden file injection with fully attacker-controlled content. This bypasses pre-extraction inspection mechanisms, potentially allowing an attacker to introduce malicious files onto a system without detection.

Remediation

There is no fixed version for Ubuntu:26.04 tar.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-5704
• https://access.redhat.com/security/cve/CVE-2026-5704
• https://bugzilla.redhat.com/show_bug.cgi?id=2455360
• http://www.openwall.com/lists/oss-security/2026/04/11/10
• http://www.openwall.com/lists/oss-security/2026/04/11/11
• http://www.openwall.com/lists/oss-security/2026/04/12/2

NVD Description

Note: Versions mentioned in the description apply only to the upstream util-linux package and not the util-linux package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

A flaw was found in util-linux. Improper hostname canonicalization in the login(1) utility, when invoked with the -h option, can modify the supplied remote hostname before setting PAM_RHOST. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access.

Remediation

There is no fixed version for Ubuntu:26.04 util-linux.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-3184
• https://access.redhat.com/errata/RHSA-2026:7180
• https://access.redhat.com/security/cve/CVE-2026-3184
• https://bugzilla.redhat.com/show_bug.cgi?id=2442570

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application.

This vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them.

Remediation

There is no fixed version for Ubuntu:26.04 glibc.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-4046
• https://sourceware.org/bugzilla/show_bug.cgi?id=33980
• https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0007;hb=HEAD
• https://inbox.sourceware.org/libc-announce/76814edf-cf7f-47ec-979d-2dce0a2c76bf@gotplt.org/T/#u

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer.

Remediation

There is no fixed version for Ubuntu:26.04 glibc.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-4437
• https://sourceware.org/bugzilla/show_bug.cgi?id=34014

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification.

Remediation

There is no fixed version for Ubuntu:26.04 glibc.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-4438
• https://sourceware.org/bugzilla/show_bug.cgi?id=34015

NVD Description

Note: Versions mentioned in the description apply only to the upstream libgcrypt20 package and not the libgcrypt20 package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

Libgcrypt before 1.12.2 mishandles Dilithium signing. Writes to a static array lack a bounds check but do not use attacker-controlled data.

Remediation

There is no fixed version for Ubuntu:26.04 libgcrypt20.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-41990
• https://dev.gnupg.org/T8208
• https://lists.gnupg.org/pipermail/gnupg-announce/2026q2/000503.html
• https://www.openwall.com/lists/oss-security/2026/04/21/1

NVD Description

Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

A vulnerability in uutils coreutils mkfifo allows for the unauthorized modification of permissions on existing files. When mkfifo fails to create a FIFO because a file already exists at the target path, it fails to terminate the operation for that path and continues to execute a follow-up set_permissions call. This results in the existing file's permissions being changed to the default mode (often 644 after umask), potentially exposing sensitive files such as SSH private keys to other users on the system.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-35341
• https://github.com/uutils/coreutils/issues/10020

NVD Description

Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

The dd utility in uutils coreutils suppresses errors during file truncation operations by unconditionally calling Result::ok() on truncation attempts. While intended to mimic GNU behavior for special files like /dev/null, the uutils implementation also hides failures on regular files and directories caused by full disks or read-only file systems. This can lead to silent data corruption in backup or migration scripts, as the utility may report a successful operation even when the destination file contains old or garbage data.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-35344
• https://github.com/uutils/coreutils/issues/9745

NVD Description

Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

A vulnerability in the tail utility of uutils coreutils allows for the exfiltration of sensitive file contents when using the --follow=name option. Unlike GNU tail, the uutils implementation continues to monitor a path after it has been replaced by a symbolic link, subsequently outputting the contents of the link's target. In environments where a privileged user (e.g., root) monitors a log directory, a local attacker with write access to that directory can replace a log file with a symlink to a sensitive system file (such as /etc/shadow), causing tail to disclose the contents of the sensitive file.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-35345
• https://github.com/uutils/coreutils/issues/10328

NVD Description

Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

The sort utility in uutils coreutils is vulnerable to a process panic when using the --files0-from option with inputs containing non-UTF-8 filenames. The implementation enforces UTF-8 encoding and utilizes expect(), causing an immediate crash when encountering valid but non-UTF-8 paths. This diverges from GNU sort, which treats filenames as raw bytes. A local attacker can exploit this to crash the utility and disrupt automated pipelines.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-35348
• https://github.com/uutils/coreutils/issues/9696

NVD Description

Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

The cp utility in uutils coreutils fails to properly handle setuid and setgid bits when ownership preservation fails. When copying with the -p (preserve) flag, the utility applies the source mode bits even if the chown operation is unsuccessful. This can result in a user-owned copy retaining original privileged bits, creating unexpected privileged executables that violate local security policies. This differs from GNU cp, which clears these bits when ownership cannot be preserved.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-35350
• https://github.com/uutils/coreutils/issues/9750

NVD Description

Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

The mv utility in uutils coreutils fails to preserve file ownership during moves across different filesystem boundaries. The utility falls back to a copy-and-delete routine that creates the destination file using the caller's UID/GID rather than the source's metadata. This flaw breaks backups and migrations, causing files moved by a privileged user (e.g., root) to become root-owned unexpectedly, which can lead to information disclosure or restricted access for the intended owners.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-35351
• https://github.com/uutils/coreutils/issues/9714

NVD Description

Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mkfifo utility of uutils coreutils. The utility creates a FIFO and then performs a path-based chmod to set permissions. A local attacker with write access to the parent directory can swap the newly created FIFO for a symbolic link between these two operations. This redirects the chmod call to an arbitrary file, potentially enabling privilege escalation if the utility is run with elevated privileges.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-35352
• http://www.openwall.com/lists/oss-security/2026/05/04/4
• http://www.openwall.com/lists/oss-security/2026/05/04/5
• http://www.openwall.com/lists/oss-security/2026/05/04/6
• https://github.com/uutils/coreutils/issues/10020

NVD Description

Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the mv utility of uutils coreutils during cross-device moves. The extended attribute (xattr) preservation logic uses multiple path-based system calls that perform fresh path-to-inode lookups for each operation. A local attacker with write access to the directory can exploit this race to swap files between calls, causing the destination file to receive an inconsistent mix of security xattrs, such as SELinux labels or file capabilities.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-35354
• https://github.com/uutils/coreutils/issues/10014

NVD Description

Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

The cp utility in uutils coreutils is vulnerable to an information disclosure race condition. Destination files are initially created with umask-derived permissions (e.g., 0644) before being restricted to their final mode (e.g., 0600) later in the process. A local attacker can race to open the file during this window; once obtained, the file descriptor remains valid and readable even after the permissions are tightened, exposing sensitive or private file contents.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-35357
• https://github.com/uutils/coreutils/issues/10011

NVD Description

Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

A Time-of-Check to Time-of-Use (TOCTOU) vulnerability in the cp utility of uutils coreutils allows an attacker to bypass no-dereference intent. The utility checks if a source path is a symbolic link using path-based metadata but subsequently opens it without the O_NOFOLLOW flag. An attacker with concurrent write access can swap a regular file for a symbolic link during this window, causing a privileged cp process to copy the contents of arbitrary sensitive files into a destination controlled by the attacker.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-35359
• https://github.com/uutils/coreutils/issues/10017

NVD Description

Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

The touch utility in uutils coreutils is vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition during file creation. When the utility identifies a missing path, it later attempts creation using File::create(), which internally uses O_TRUNC. An attacker can exploit this window to create a file or swap a symlink at the target path, causing touch to truncate an existing file and leading to permanent data loss.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-35360
• https://github.com/uutils/coreutils/issues/10019

NVD Description

Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

A vulnerability in the rm utility of uutils coreutils allows the bypass of safeguard mechanisms intended to protect the current directory. While the utility correctly refuses to delete . or .., it fails to recognize equivalent paths with trailing slashes, such as ./ or .///. An accidental or malicious execution of rm -rf ./ results in the silent recursive deletion of all contents within the current directory. The command further obscures the data loss by reporting a misleading 'Invalid input' error, which may cause users to miss the critical window for data recovery.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-35363
• https://github.com/uutils/coreutils/issues/9749

NVD Description

Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mv utility of uutils coreutils during cross-device operations. The utility removes the destination path before recreating it through a copy operation. A local attacker with write access to the destination directory can exploit this window to replace the destination with a symbolic link. The subsequent privileged move operation will follow the symlink, allowing the attacker to redirect the write and overwrite an arbitrary target file with contents from the source.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-35364
• https://github.com/uutils/coreutils/issues/10015

NVD Description

Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

The nohup utility in uutils coreutils creates its default output file, nohup.out, without specifying explicit restricted permissions. This causes the file to inherit umask-based permissions, typically resulting in a world-readable file (0644). In multi-user environments, this allows any user on the system to read the captured stdout/stderr output of a command, potentially exposing sensitive information. This behavior diverges from GNU coreutils, which creates nohup.out with owner-only (0600) permissions.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-35367
• https://github.com/uutils/coreutils/issues/10021

NVD Description

Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

A vulnerability exists in the chroot utility of uutils coreutils when using the --userspec option. The utility resolves the user specification via getpwnam() after entering the chroot but before dropping root privileges. On glibc-based systems, this can trigger the Name Service Switch (NSS) to load shared libraries (e.g., libnss_*.so.2) from the new root directory. If the NEWROOT is writable by an attacker, they can inject a malicious NSS module to execute arbitrary code as root, facilitating a full container escape or privilege escalation.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-35368
• https://github.com/uutils/coreutils/issues/10327

NVD Description

Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

The id utility in uutils coreutils miscalculates the groups= section of its output. The implementation uses a user's real GID instead of their effective GID to compute the group list, leading to potentially divergent output compared to GNU coreutils. Because many scripts and automated processes rely on the output of id to make security-critical access-control or permission decisions, this discrepancy can lead to unauthorized access or security misconfigurations.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-35370
• https://github.com/uutils/coreutils/issues/10006

NVD Description

Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

The id utility in uutils coreutils exhibits incorrect behavior in its "pretty print" output when the real UID and effective UID differ. The implementation incorrectly uses the effective GID instead of the effective UID when performing a name lookup for the effective user. This results in misleading diagnostic output that can cause automated scripts or system administrators to make incorrect decisions regarding file permissions or access control.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-35371
• https://github.com/uutils/coreutils/issues/10006

NVD Description

Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the split utility of uutils coreutils. The program attempts to prevent data loss by checking for identity between input and output files using their file paths before initiating the split operation. However, the utility subsequently opens the output file with truncation after this path-based validation is complete. A local attacker with write access to the directory can exploit this race window by manipulating mutable path components (e.g., swapping a path with a symbolic link). This can cause split to truncate and write to an unintended target file, potentially including the input file itself or other sensitive files accessible to the process, leading to permanent data loss.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-35374
• https://github.com/uutils/coreutils/pull/11401

NVD Description

Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

A logic error in the env utility of uutils coreutils causes a failure to correctly parse command-line arguments when utilizing the -S (split-string) option. In GNU env, backslashes within single quotes are treated literally (with the exceptions of \ and '). However, the uutils implementation incorrectly attempts to validate these sequences, resulting in an "invalid sequence" error and an immediate process termination with an exit status of 125 when encountering valid but unrecognized sequences like \a or \x. This divergence from GNU behavior breaks compatibility for automated scripts and administrative workflows that rely on standard split-string semantics, leading to a local denial of service for those operations.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-35377
• https://github.com/uutils/coreutils/pull/11512

NVD Description

Note: Versions mentioned in the description apply only to the upstream sed package and not the sed package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

When sed is invoked with both -i (in-place edit) and --follow-symlinks, the function open_next_file() performs two separate, non-atomic filesystem operations on the same path:

1. resolves symlink to its target and stores the resolved path for determining when output is written,
2. opens the original symlink path (not the resolved one) to read the file. Between these two calls there is a race window. If an attacker atomically replaces the symlink with a different target during that window, sed will: read content from the new (attacker-chosen) symlink target and write the processed result to the path recorded in step 1. This can lead to arbitrary file overwrite with attacker-controlled content in the context of the sed process.

This issue was fixed in version 4.10.

Remediation

Upgrade Ubuntu:26.04 sed to version 4.9-2ubuntu1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-5958
• https://cert.pl/en/posts/2026/04/CVE-2026-5958
• https://www.gnu.org/software/sed/
• http://www.openwall.com/lists/oss-security/2026/05/13/1

NVD Description

Note: Versions mentioned in the description apply only to the upstream tar package and not the tar package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages). NOTE: the official GNU Tar manual has an otherwise-empty directory for each "tar xf" in its Security Rules of Thumb; however, third-party advice leads users to run "tar xf" more than once into the same directory.

Remediation

There is no fixed version for Ubuntu:26.04 tar.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-45582
• https://github.com/i900008/vulndb/blob/main/Gnu_tar_vuln.md
• https://www.gnu.org/software/tar/
• https://lists.gnu.org/archive/html/bug-tar/2025-08/msg00012.html
• https://www.gnu.org/software/tar/manual/html_node/Integrity.html
• https://www.gnu.org/software/tar/manual/html_node/Security-rules-of-thumb.html
• http://www.openwall.com/lists/oss-security/2025/11/01/6

NVD Description

Note: Versions mentioned in the description apply only to the upstream util-linux package and not the util-linux package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4.

Remediation

There is no fixed version for Ubuntu:26.04 util-linux.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-27456
• https://github.com/util-linux/util-linux/commit/5e390467b26a3cf3fecc04e1a0d482dff3162fc4
• https://github.com/util-linux/util-linux/releases/tag/v2.41.4
• https://github.com/util-linux/util-linux/security/advisories/GHSA-qq4x-vfq4-9h9g