CVE-2026-35368: CWE-426: Untrusted Search Path in Uutils coreutils
A vulnerability exists in the chroot utility of uutils coreutils when using the --userspec option. The utility resolves the user specification via getpwnam() after entering the chroot but before dropping root privileges. On glibc-based systems, this can trigger the Name Service Switch (NSS) to load shared libraries (e.g., libnss_*.so.2) from the new root directory. If the NEWROOT is writable by an attacker, they can inject a malicious NSS module to execute arbitrary code as root, facilitating a full container escape or privilege escalation.
AI Analysis
Technical Summary
The vulnerability in uutils coreutils' chroot utility occurs during user specification resolution via getpwnam() after entering the chroot but before privilege dropping. On glibc-based systems, NSS loads shared libraries (e.g., libnss_*.so.2) from the chroot directory. If the chroot directory (NEWROOT) is attacker-writable, malicious NSS modules can be injected, resulting in arbitrary root code execution. This flaw can be exploited for container escapes or privilege escalation. The CVSS 3.1 score is 7.2 (high), reflecting local attack vector with high impact on confidentiality, integrity, and availability. No patch or vendor remediation level is currently documented.
Potential Impact
Successful exploitation allows an attacker with local access and write permissions to the chroot directory to execute arbitrary code as root. This can lead to full container escape or privilege escalation, compromising system confidentiality, integrity, and availability. The vulnerability requires high attack complexity and low privileges but no user interaction. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict write permissions to chroot directories to trusted users only and avoid using the --userspec option in untrusted environments. Monitor vendor channels for updates and apply patches promptly once released.
CVE-2026-35368: CWE-426: Untrusted Search Path in Uutils coreutils
Description
A vulnerability exists in the chroot utility of uutils coreutils when using the --userspec option. The utility resolves the user specification via getpwnam() after entering the chroot but before dropping root privileges. On glibc-based systems, this can trigger the Name Service Switch (NSS) to load shared libraries (e.g., libnss_*.so.2) from the new root directory. If the NEWROOT is writable by an attacker, they can inject a malicious NSS module to execute arbitrary code as root, facilitating a full container escape or privilege escalation.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in uutils coreutils' chroot utility occurs during user specification resolution via getpwnam() after entering the chroot but before privilege dropping. On glibc-based systems, NSS loads shared libraries (e.g., libnss_*.so.2) from the chroot directory. If the chroot directory (NEWROOT) is attacker-writable, malicious NSS modules can be injected, resulting in arbitrary root code execution. This flaw can be exploited for container escapes or privilege escalation. The CVSS 3.1 score is 7.2 (high), reflecting local attack vector with high impact on confidentiality, integrity, and availability. No patch or vendor remediation level is currently documented.
Potential Impact
Successful exploitation allows an attacker with local access and write permissions to the chroot directory to execute arbitrary code as root. This can lead to full container escape or privilege escalation, compromising system confidentiality, integrity, and availability. The vulnerability requires high attack complexity and low privileges but no user interaction. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict write permissions to chroot directories to trusted users only and avoid using the --userspec option in untrusted environments. Monitor vendor channels for updates and apply patches promptly once released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- canonical
- Date Reserved
- 2026-04-02T12:58:56.088Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e8f7d519fe3cd2cdd00d7d
Added to database: 4/22/2026, 4:31:17 PM
Last enriched: 4/22/2026, 4:46:05 PM
Last updated: 4/23/2026, 2:36:16 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.