CVE-2026-35351: uutils coreutils doesn't preserve file ownership during moves across different filesystem boundaries

April 22, 2026 (updated April 29, 2026)

The mv utility in uutils coreutils fails to preserve file ownership during moves across different filesystem boundaries. The utility falls back to a copy-and-delete routine that creates the destination file using the caller’s UID/GID rather than the source’s metadata. This flaw breaks backups and migrations, causing files moved by a privileged user (e.g., root) to become root-owned unexpectedly, which can lead to information disclosure or restricted access for the intended owners.

References

github.com/advisories/GHSA-957r-r8gc-vv3h
github.com/uutils/coreutils
github.com/uutils/coreutils/issues/9714
nvd.nist.gov/vuln/detail/CVE-2026-35351

Code Behaviors & Features

Detect and mitigate CVE-2026-35351 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →