{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35370", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "state": "PUBLISHED", "assignerShortName": "canonical", "dateReserved": "2026-04-02T12:58:56.088Z", "datePublished": "2026-04-22T16:08:53.652Z", "dateUpdated": "2026-04-22T17:47:48.546Z"}, "containers": {"cna": {"title": "uutils coreutils id Incorrect Access-Control Decisions via Misrepresented Group Membership", "affected": [{"vendor": "Uutils", "product": "coreutils", "platforms": ["Linux", "Unix", "macOS"], "collectionURL": "https://github.com/uutils", "packageName": "coreutils", "repo": "https://github.com/uutils/coreutils", "defaultStatus": "affected"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels"}]}], "descriptions": [{"lang": "en", "value": "The id utility in uutils coreutils miscalculates the groups= section of its output. The implementation uses a user's real GID instead of their effective GID to compute the group list, leading to potentially divergent output compared to GNU coreutils. Because many scripts and automated processes rely on the output of id to make security-critical access-control or permission decisions, this discrepancy can lead to unauthorized access or security misconfigurations."}], "references": [{"url": "https://github.com/uutils/coreutils/issues/10006", "tags": ["issue-tracking"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 4.4, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"}}], "credits": [{"lang": "en", "value": "Zellic", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-04-22T16:08:53.652Z"}}, "adp": [{"references": [{"url": "https://github.com/uutils/coreutils/issues/10006", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T17:47:44.682826Z", "id": "CVE-2026-35370", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T17:47:48.546Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35370", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T17:47:44.682826Z"}}}], "references": [{"url": "https://github.com/uutils/coreutils/issues/10006", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T17:47:40.269Z"}}], "cna": {"title": "uutils coreutils id Incorrect Access-Control Decisions via Misrepresented Group Membership", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Zellic"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/uutils/coreutils", "vendor": "Uutils", "product": "coreutils", "platforms": ["Linux", "Unix", "macOS"], "packageName": "coreutils", "collectionURL": "https://github.com/uutils", "defaultStatus": "affected"}], "references": [{"url": "https://github.com/uutils/coreutils/issues/10006", "tags": ["issue-tracking"]}], "descriptions": [{"lang": "en", "value": "The id utility in uutils coreutils miscalculates the groups= section of its output. The implementation uses a user's real GID instead of their effective GID to compute the group list, leading to potentially divergent output compared to GNU coreutils. Because many scripts and automated processes rely on the output of id to make security-critical access-control or permission decisions, this discrepancy can lead to unauthorized access or security misconfigurations."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-04-22T16:08:53.652Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35370", "state": "PUBLISHED", "dateUpdated": "2026-04-22T17:47:48.546Z", "dateReserved": "2026-04-02T12:58:56.088Z", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "datePublished": "2026-04-22T16:08:53.652Z", "assignerShortName": "canonical"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The id utility in uutils coreutils miscalculates the groups= section of its output. The implementation uses a user's real GID instead of their effective GID to compute the group list, leading to potentially divergent output compared to GNU coreutils. Because many scripts and automated processes rely on the output of id to make security-critical access-control or permission decisions, this discrepancy can lead to unauthorized access or security misconfigurations."}], "id": "CVE-2026-35370", "lastModified": "2026-04-22T21:23:52.620", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 2.5, "source": "security@ubuntu.com", "type": "Secondary"}]}, "published": "2026-04-22T17:16:40.833", "references": [{"source": "security@ubuntu.com", "url": "https://github.com/uutils/coreutils/issues/10006"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/uutils/coreutils/issues/10006"}], "sourceIdentifier": "security@ubuntu.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security@ubuntu.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T18:05:20.064569+00:00", "value": {"mitigation_remediation": ["Install the latest stable release of uutils coreutils that contains the fixed id implementation.", "Replace or modify any security- critical scripts that parse the id or groups= output to instead call the GNU coreutils id or to verify the effective GID matches the real GID before making access decisions.", "Add defensive checks in scripts to compare the groups= field against /proc/self/status or the effective GID value to detect inconsistencies and refuse to grant privileges if a mismatch exists."], "summary": {"action": "Patch", "impact": "Unauthorized Access via erroneous group membership representation"}, "threat_synthesis": {"affected_systems": "Affected vertices are all installations that include the uutils coreutils package. The vulnerability is present in any version where the id command has not been updated to compute the group list using the effective GID. No specific patch version is listed in the advisory, so all current releases before a fix are potentially vulnerable.", "description_and_impact": "The id utility in uutils coreutils calculates the groups= field by using a user's real GID instead of the effective GID that represents the privileges actually granted to the process. This miscalculation leads to an inaccurate group list in the utility's output. Because many security-sensitive scripts and automated tools parse the id output to enforce access-control policies, the discrepancy can cause misconfigurations that allow a user to gain privileges they have not been approved for, or to bypass intended restrictions. The flaw is an instance of an Authority Problem (CWE-863), primarily impacting the integrity and confidentiality of protected resources.", "risk_and_exploitability": "The CVSS score of 4.4 indicates a moderate assessment of impact, and no EPSS score is available. The vulnerability is not currently listed in CISA KEV. Exploitation would likely involve scripts or processes that rely on the canonical form of the id output for group membership checks. An attacker would need to influence or bypass a script that trusts the id output; the exploit is local to the environment where such scripts run, but could be used in a broader compromise chain if other services depend on the wrong group list. The solution from the CNA would be to update the package; until then, mitigations depend on changing the logic of scripts or using the GNU coreutils id that correctly reports effective GIDs."}}}}, "created": "2026-04-22T18:15:15.481462+00:00", "updated": "2026-04-22T18:15:15.481473+00:00", "vendors": []}