CVE-2026-35372: CWE-61: UNIX Symbolic Link (Symlink) Following in Uutils coreutils
A logic error in the ln utility of uutils coreutils allows the utility to dereference a symbolic link target even when the --no-dereference (or -n) flag is explicitly provided. The implementation previously only honored the "no-dereference" intent if the --force (overwrite) mode was also enabled. This flaw causes ln to follow a symbolic link that points to a directory and create new links inside that target directory instead of treating the symbolic link itself as the destination. In environments where a privileged user or system script uses ln -n to update a symlink, a local attacker could manipulate existing symbolic links to redirect file creation into sensitive directories, potentially leading to unauthorized file creation or system misconfiguration.
AI Analysis
Technical Summary
The vulnerability in uutils coreutils ln utility arises from a logic error that causes the utility to dereference symbolic links even when the --no-dereference (-n) flag is specified, but only if --force is not also used. This results in ln following a symlink that points to a directory and creating new links inside that directory rather than treating the symlink as the destination. This behavior can be exploited by a local attacker to manipulate file creation paths in privileged contexts, potentially causing unauthorized file creation or system misconfiguration. The issue is tracked as CWE-61 (Improper Handling of Symbolic Links). The vulnerability affects version 0 of the product, was published on 2026-04-22, and currently has no known exploits in the wild or vendor-provided patches.
Potential Impact
The impact is limited to local attackers who can manipulate existing symbolic links to cause privileged users or system scripts using ln -n to create files or links inside unintended directories. This can lead to unauthorized file creation or system misconfiguration. There is no direct confidentiality or availability impact reported. The CVSS vector indicates low attack complexity and low privileges required but user interaction is needed.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, avoid using ln with the --no-dereference (-n) flag in privileged scripts or environments where symbolic links could be manipulated by untrusted users. Consider additional access controls on symbolic links and directories to limit local attacker influence.
CVE-2026-35372: CWE-61: UNIX Symbolic Link (Symlink) Following in Uutils coreutils
Description
A logic error in the ln utility of uutils coreutils allows the utility to dereference a symbolic link target even when the --no-dereference (or -n) flag is explicitly provided. The implementation previously only honored the "no-dereference" intent if the --force (overwrite) mode was also enabled. This flaw causes ln to follow a symbolic link that points to a directory and create new links inside that target directory instead of treating the symbolic link itself as the destination. In environments where a privileged user or system script uses ln -n to update a symlink, a local attacker could manipulate existing symbolic links to redirect file creation into sensitive directories, potentially leading to unauthorized file creation or system misconfiguration.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in uutils coreutils ln utility arises from a logic error that causes the utility to dereference symbolic links even when the --no-dereference (-n) flag is specified, but only if --force is not also used. This results in ln following a symlink that points to a directory and creating new links inside that directory rather than treating the symlink as the destination. This behavior can be exploited by a local attacker to manipulate file creation paths in privileged contexts, potentially causing unauthorized file creation or system misconfiguration. The issue is tracked as CWE-61 (Improper Handling of Symbolic Links). The vulnerability affects version 0 of the product, was published on 2026-04-22, and currently has no known exploits in the wild or vendor-provided patches.
Potential Impact
The impact is limited to local attackers who can manipulate existing symbolic links to cause privileged users or system scripts using ln -n to create files or links inside unintended directories. This can lead to unauthorized file creation or system misconfiguration. There is no direct confidentiality or availability impact reported. The CVSS vector indicates low attack complexity and low privileges required but user interaction is needed.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, avoid using ln with the --no-dereference (-n) flag in privileged scripts or environments where symbolic links could be manipulated by untrusted users. Consider additional access controls on symbolic links and directories to limit local attacker influence.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- canonical
- Date Reserved
- 2026-04-02T12:58:56.088Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e8f7d519fe3cd2cdd00d8a
Added to database: 4/22/2026, 4:31:17 PM
Last enriched: 4/22/2026, 4:47:51 PM
Last updated: 4/22/2026, 6:42:44 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.