CVE-2026-35368: uutils coreutils has an Untrusted Search Path

April 22, 2026 (updated April 30, 2026)

A vulnerability exists in the chroot utility of uutils coreutils when using the –userspec option. The utility resolves the user specification via getpwnam() after entering the chroot but before dropping root privileges. On glibc-based systems, this can trigger the Name Service Switch (NSS) to load shared libraries (e.g., libnss_*.so.2) from the new root directory. If the NEWROOT is writable by an attacker, they can inject a malicious NSS module to execute arbitrary code as root, facilitating a full container escape or privilege escalation.

References

github.com/advisories/GHSA-mh5c-xrmh-m794
github.com/uutils/coreutils
github.com/uutils/coreutils/issues/10327
nvd.nist.gov/vuln/detail/CVE-2026-35368

Code Behaviors & Features

Detect and mitigate CVE-2026-35368 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →