CVE-2026-35368: CWE-426: Untrusted Search Path in Uutils coreutils
A vulnerability exists in the chroot utility of uutils coreutils when using the --userspec option. The utility resolves the user specification via getpwnam() after entering the chroot but before dropping root privileges. On glibc-based systems, this can trigger the Name Service Switch (NSS) to load shared libraries (e.g., libnss_*.so.2) from the new root directory. If the NEWROOT is writable by an attacker, they can inject a malicious NSS module to execute arbitrary code as root, facilitating a full container escape or privilege escalation.
AI Analysis
Technical Summary
This vulnerability arises from the chroot utility in uutils coreutils resolving user specifications via getpwnam() after entering the chroot environment but before relinquishing root privileges. On systems using glibc, the NSS mechanism loads shared libraries such as libnss_*.so.2 from the chroot directory. If the chroot directory (NEWROOT) is writable by an attacker, they can place malicious NSS modules there, which the utility will load and execute with root privileges. This can lead to arbitrary code execution as root, facilitating full container escape or privilege escalation. The CVSS 3.1 score is 7.2, indicating high severity, with attack vector local, high attack complexity, low privileges required, no user interaction, scope changed, and high impact on confidentiality, integrity, and availability.
Potential Impact
Successful exploitation allows an attacker with write access to the chroot directory to execute arbitrary code as root. This can lead to full container escape or privilege escalation, compromising system confidentiality, integrity, and availability. The vulnerability affects systems using uutils coreutils with glibc-based NSS implementations.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, avoid running the chroot utility with the --userspec option in environments where the new root directory is writable by untrusted users. Restrict write permissions on the chroot directory to trusted users only to prevent malicious NSS module injection.
CVE-2026-35368: CWE-426: Untrusted Search Path in Uutils coreutils
Description
A vulnerability exists in the chroot utility of uutils coreutils when using the --userspec option. The utility resolves the user specification via getpwnam() after entering the chroot but before dropping root privileges. On glibc-based systems, this can trigger the Name Service Switch (NSS) to load shared libraries (e.g., libnss_*.so.2) from the new root directory. If the NEWROOT is writable by an attacker, they can inject a malicious NSS module to execute arbitrary code as root, facilitating a full container escape or privilege escalation.
CVSS v3.1
Score 7.2high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability arises from the chroot utility in uutils coreutils resolving user specifications via getpwnam() after entering the chroot environment but before relinquishing root privileges. On systems using glibc, the NSS mechanism loads shared libraries such as libnss_*.so.2 from the chroot directory. If the chroot directory (NEWROOT) is writable by an attacker, they can place malicious NSS modules there, which the utility will load and execute with root privileges. This can lead to arbitrary code execution as root, facilitating full container escape or privilege escalation. The CVSS 3.1 score is 7.2, indicating high severity, with attack vector local, high attack complexity, low privileges required, no user interaction, scope changed, and high impact on confidentiality, integrity, and availability.
Potential Impact
Successful exploitation allows an attacker with write access to the chroot directory to execute arbitrary code as root. This can lead to full container escape or privilege escalation, compromising system confidentiality, integrity, and availability. The vulnerability affects systems using uutils coreutils with glibc-based NSS implementations.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, avoid running the chroot utility with the --userspec option in environments where the new root directory is writable by untrusted users. Restrict write permissions on the chroot directory to trusted users only to prevent malicious NSS module injection.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- canonical
- Date Reserved
- 2026-04-02T12:58:56.088Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e8f7d519fe3cd2cdd00d7d
Added to database: 4/22/2026, 4:31:17 PM
Last enriched: 4/30/2026, 8:04:13 AM
Last updated: 6/6/2026, 11:35:36 PM
Views: 51
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.