CVE-2026-35340: uutils coreutils has an Incorrect Check of Function Return Value

April 22, 2026 (updated April 29, 2026)

A flaw in the ChownExecutor used by uutils coreutils chown and chgrp causes the utilities to return an incorrect exit code during recursive operations. The final exit code is determined only by the last file processed. If the last operation succeeds, the command returns 0 even if earlier ownership or group changes failed due to permission errors. This can lead to security misconfigurations where administrative scripts incorrectly assume that ownership has been successfully transferred across a directory tree.

References

github.com/advisories/GHSA-88ch-q68x-36v7
github.com/uutils/coreutils
github.com/uutils/coreutils/commit/ebc08af9c34138f474b32ea0ef34bed3b086a3ed
github.com/uutils/coreutils/pull/10035
github.com/uutils/coreutils/releases/tag/0.6.0
nvd.nist.gov/vuln/detail/CVE-2026-35340

Code Behaviors & Features

Detect and mitigate CVE-2026-35340 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →