CVE-2026-35339: uutils coreutils incorrectly handles exit codes when processing multiple files

April 22, 2026 (updated April 29, 2026)

The recursive mode (-R) of the chmod utility in uutils coreutils incorrectly handles exit codes when processing multiple files. The final return value is determined solely by the success or failure of the last file processed. This allows the command to return an exit code of 0 (success) even if errors were encountered on previous files, such as ‘Operation not permitted’. Scripts relying on these exit codes may proceed under a false sense of success while sensitive files remain with restrictive or incorrect permissions.

References

github.com/advisories/GHSA-vp6q-mv9j-j428
github.com/uutils/coreutils
github.com/uutils/coreutils/commit/abd581f62e97d0b147306ac40eac13af71c6fbba
github.com/uutils/coreutils/pull/9793
github.com/uutils/coreutils/releases/tag/0.6.0
nvd.nist.gov/vuln/detail/CVE-2026-35339

Code Behaviors & Features

Detect and mitigate CVE-2026-35339 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →