<?xml version='1.0' encoding='UTF-8'?>
<?xml-stylesheet href="/static/style.xsl" type="text/xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
  <id>https://vulnerability.circl.lu/sightings/feed</id>
  <title>Most recent sightings.</title>
  <updated>2026-07-14T11:36:22.279027+00:00</updated>
  <author>
    <name>Vulnerability-Lookup</name>
    <email>info@circl.lu</email>
  </author>
  <link href="https://vulnerability.circl.lu" rel="alternate"/>
  <generator uri="https://lkiesow.github.io/python-feedgen" version="1.0.0">python-feedgen</generator>
  <subtitle>Contains only the most 10 recent sightings.</subtitle>
  <entry>
    <id>https://vulnerability.circl.lu/sighting/efccf5d6-9354-4695-9b6a-dd3d3061ee49/export</id>
    <title>efccf5d6-9354-4695-9b6a-dd3d3061ee49</title>
    <updated>2026-07-14T11:36:22.317343+00:00</updated>
    <author>
      <name>Automation user</name>
      <uri>https://vulnerability.circl.lu/user/automation</uri>
    </author>
    <content>{"uuid": "efccf5d6-9354-4695-9b6a-dd3d3061ee49", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-35339", "type": "seen", "source": "https://gist.github.com/alon710/194b323308c6542ff0a22bb475e2c02f", "content": "# CVE-2026-35339: CVE-2026-35339: Incorrect Exit Status Propagation in Rust uutils/coreutils chmod Recursive Execution\n\n&amp;gt; **CVSS Score:** 5.5\n&amp;gt; **Published:** 2026-07-06\n&amp;gt; **Full Report:** https://cvereports.com/reports/CVE-2026-35339\n\n## Summary\nCVE-2026-35339 is a logic vulnerability in the Rust-written `uutils/coreutils` implementation of the `chmod` utility. When executing recursively (`-R` or `--recursive`) over multiple target paths, the utility fails to accumulate the overall exit status, overwriting error codes from early failures with the status of the final target. This results in false-success exit codes (0), potentially leading security automation and deployment scripts to assume permission modifications succeeded when they actually failed.\n\n## TL;DR\nA 'last-file-wins' logic vulnerability in Rust-based `chmod -R` permits silent failures, returning exit code 0 even if previous targets failed. This bypasses automated permission checks in scripts and CI/CD pipelines.\n\n## Technical Details\n\n- **CWE ID**: CWE-253 (Incorrect Check of Function Return Value)\n- **Attack Vector**: Local (AV:L)\n- **CVSS v3.1**: 5.5 (Medium)\n- **EPSS Score**: 0.00142 (3.90th percentile)\n- **Impact**: Integrity Loss (Silent permission-application bypasses)\n- **Exploit Status**: No public weaponized exploits available\n- **CISA KEV Status**: Not listed\n\n## Affected Systems\n\n- uutils/coreutils\n- **coreutils**: &amp;lt; 0.6.0 (Fixed in: `0.6.0`)\n\n## Mitigation\n\n- Upgrade uutils/coreutils to version 0.6.0 or later.\n- Deconstruct multi-argument recursive chmod operations in scripts into separate commands or chain them with explicit logical operators.\n- Implement defensive post-execution verification checks using test operators or find to validate that target permissions match expectations.\n\n**Remediation Steps:**\n1. Identify systems or container images using Rust uutils/coreutils.\n2. Update coreutils package to version 0.6.0 or higher.\n3. For active CI/CD pipelines, audit bash scripts or Ansible playbooks that invoke chmod with multiple recursive directory targets.\n4. Modify multi-target invocations to single-target invocations linked with '&amp;amp;&amp;amp;' if immediate upgrades are not possible.\n\n## References\n\n- [CVE-2026-35339 Record](https://www.cve.org/CVERecord?id=CVE-2026-35339)\n- [GitHub Pull Request 9793](https://github.com/uutils/coreutils/pull/9793)\n- [Security Fix Commit](https://github.com/uutils/coreutils/commit/abd581f62e97d0b147306ac40eac13af71c6fbba)\n- [uutils coreutils 0.6.0 Release](https://github.com/uutils/coreutils/releases/tag/0.6.0)\n- [Wiz Vulnerability Database Entry](https://www.wiz.io/vulnerability-database/cve/cve-2026-35339)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-35339) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-06T19:41:46.111341Z"}</content>
    <link href="https://vulnerability.circl.lu/sighting/efccf5d6-9354-4695-9b6a-dd3d3061ee49/export"/>
    <published>2026-07-06T19:41:46.111341+00:00</published>
  </entry>
</feed>
