CVE-2026-35367: uutils coreutils has an Incorrect Permission Assignment for Critical Resource

April 22, 2026 (updated April 30, 2026)

The nohup utility in uutils coreutils creates its default output file, nohup.out, without specifying explicit restricted permissions. This causes the file to inherit umask-based permissions, typically resulting in a world-readable file (0644). In multi-user environments, this allows any user on the system to read the captured stdout/stderr output of a command, potentially exposing sensitive information. This behavior diverges from GNU coreutils, which creates nohup.out with owner-only (0600) permissions.

References

github.com/advisories/GHSA-5hgf-628x-mcqf
github.com/uutils/coreutils
github.com/uutils/coreutils/issues/10021
nvd.nist.gov/vuln/detail/CVE-2026-35367

Code Behaviors & Features

Detect and mitigate CVE-2026-35367 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →