Nixpkgs security tracker

Login with GitHub

Suggestion detail

Untriaged

Permalink CVE-2026-35340

5.5 MEDIUM

CVSS version: 3.1
Attack vector (AV): LOCAL
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): HIGH
Availability impact (A): NONE

created 6 days, 11 hours ago Activity log

Created suggestion 6 days, 11 hours ago

uutils coreutils chown and chgrp False Success Exit Code in Recursive Mode

A flaw in the ChownExecutor used by uutils coreutils chown and chgrp causes the utilities to return an incorrect exit code during recursive operations. The final exit code is determined only by the last file processed. If the last operation succeeds, the command returns 0 even if earlier ownership or group changes failed due to permission errors. This can lead to security misconfigurations where administrative scripts incorrectly assume that ownership has been successfully transferred across a directory tree.

References

https://github.com/uutils/coreutils/pull/10035 issue-trackingpatch
https://github.com/uutils/coreutils/releases/tag/0.6.0 vendor-advisory

Affected products

coreutils

<0.6.0

Matching in nixpkgs

pkgs.coreutils

GNU Core Utilities

nixos-unstable 9.10
- nixpkgs-unstable 9.10
- nixos-unstable-small 9.10
nixos-25.11 9.8
- nixos-25.11-small 9.8
- nixpkgs-25.11-darwin 9.8

pkgs.coreutils-full

GNU Core Utilities

nixos-unstable 9.10
- nixpkgs-unstable 9.10
- nixos-unstable-small 9.10
nixos-25.11 9.8
- nixos-25.11-small 9.8
- nixpkgs-25.11-darwin 9.8

pkgs.policycoreutils

SELinux policy core utilities

nixos-unstable 3.10
- nixpkgs-unstable 3.10
- nixos-unstable-small 3.10
nixos-25.11 3.8.1
- nixos-25.11-small 3.8.1
- nixpkgs-25.11-darwin 3.8.1

pkgs.uutils-coreutils

Cross-platform Rust rewrite of the GNU coreutils

nixos-unstable 0.8.0
- nixpkgs-unstable 0.8.0
- nixos-unstable-small 0.8.0
nixos-25.11 0.6.0
- nixos-25.11-small 0.6.0
- nixpkgs-25.11-darwin 0.6.0

pkgs.coreutils-prefixed

GNU Core Utilities

nixos-unstable 9.10
- nixpkgs-unstable 9.10
- nixos-unstable-small 9.10
nixos-25.11 9.8
- nixos-25.11-small 9.8
- nixpkgs-25.11-darwin 9.8

pkgs.uutils-coreutils-noprefix

Cross-platform Rust rewrite of the GNU coreutils

nixos-unstable 0.8.0
- nixpkgs-unstable 0.8.0
- nixos-unstable-small 0.8.0
nixos-25.11 0.6.0
- nixos-25.11-small 0.6.0
- nixpkgs-25.11-darwin 0.6.0

pkgs.minimal-bootstrap.coreutils

The GNU Core Utilities

nixos-unstable 5.0
- nixpkgs-unstable 5.0
- nixos-unstable-small 5.0

pkgs.selinuxPackages.policycoreutils

SELinux policy core utilities

nixos-unstable 3.10
- nixpkgs-unstable 3.10
- nixos-unstable-small 3.10

pkgs.minimal-bootstrap.coreutils-musl

The GNU Core Utilities

nixos-unstable 9.9
- nixpkgs-unstable 9.9
- nixos-unstable-small 9.9

pkgs.minimal-bootstrap.coreutils-static

The GNU Core Utilities

nixos-unstable 9.9
- nixpkgs-unstable 9.9
- nixos-unstable-small 9.9

Package maintainers

@dasJ Janne Heß <janne@hess.ooo>
@mdaniels5757 Michael Daniels <nix@mdaniels.me>
@infinisil Silvan Mosberger <contact@infinisil.com>
@pyrox0 Pyrox <pyrox@pyrox.dev>
@balsoft Alexander Bantyev <balsoft75@gmail.com>
@siraben Siraphob Phipathananunth <bensiraphob@gmail.com>
@Gskartwii Aleksi Hannula <ahannula4@gmail.com>
@06kellyjac Jack <hello+nixpkgs@j-k.io>
@emilytrau Emily Trau <emily+nix@downunderctf.com>
@Ericson2314 John Ericson <John.Ericson@Obsidian.Systems>
@Artturin Artturi N <artturin@artturin.com>
@alejandrosame Alejandro Sánchez Medina <alejandrosanchzmedina@gmail.com>
@RossComputerGuy Tristan Ross <tristan.ross@midstall.com>
@numinit Morgan Jones <me+nixpkgs@numin.it>
@matthiasbeyer Matthias Beyer <mail@beyermatthias.de>
@GaetanLepage Gaetan Lepage <gaetan@glepage.com>