CVE-2026-35361: uutils coreutils has an Improper Preservation of Permissions issue

April 22, 2026 (updated April 30, 2026)

The mknod utility in uutils coreutils fails to handle security labels atomically by creating device nodes before setting the SELinux context. If labeling fails, the utility attempts cleanup using std::fs::remove_dir, which cannot remove device nodes or FIFOs. This leaves mislabeled nodes behind with incorrect default contexts, potentially allowing unauthorized access to device nodes that should have been restricted by mandatory access controls.

References

github.com/advisories/GHSA-79rc-qpw3-jv92
github.com/uutils/coreutils
github.com/uutils/coreutils/commit/42b2ad83cdcf6e959ecb378c5040c60d9c64becf
github.com/uutils/coreutils/pull/10582
github.com/uutils/coreutils/releases/tag/0.6.0
nvd.nist.gov/vuln/detail/CVE-2026-35361

Code Behaviors & Features

Detect and mitigate CVE-2026-35361 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →