<?xml version='1.0' encoding='UTF-8'?>
<?xml-stylesheet href="/static/style.xsl" type="text/xsl"?>
<rss xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/" version="2.0">
  <channel>
    <title>Most recent sightings.</title>
    <link>https://vulnerability.circl.lu</link>
    <description>Contains only the most 10 recent sightings.</description>
    <docs>http://www.rssboard.org/rss-specification</docs>
    <generator>python-feedgen</generator>
    <language>en</language>
    <lastBuildDate>Tue, 14 Jul 2026 11:36:22 +0000</lastBuildDate>
    <item>
      <title>efccf5d6-9354-4695-9b6a-dd3d3061ee49</title>
      <link>https://vulnerability.circl.lu/sighting/efccf5d6-9354-4695-9b6a-dd3d3061ee49/export</link>
      <description>{"uuid": "efccf5d6-9354-4695-9b6a-dd3d3061ee49", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-35339", "type": "seen", "source": "https://gist.github.com/alon710/194b323308c6542ff0a22bb475e2c02f", "content": "# CVE-2026-35339: CVE-2026-35339: Incorrect Exit Status Propagation in Rust uutils/coreutils chmod Recursive Execution\n\n&amp;gt; **CVSS Score:** 5.5\n&amp;gt; **Published:** 2026-07-06\n&amp;gt; **Full Report:** https://cvereports.com/reports/CVE-2026-35339\n\n## Summary\nCVE-2026-35339 is a logic vulnerability in the Rust-written `uutils/coreutils` implementation of the `chmod` utility. When executing recursively (`-R` or `--recursive`) over multiple target paths, the utility fails to accumulate the overall exit status, overwriting error codes from early failures with the status of the final target. This results in false-success exit codes (0), potentially leading security automation and deployment scripts to assume permission modifications succeeded when they actually failed.\n\n## TL;DR\nA 'last-file-wins' logic vulnerability in Rust-based `chmod -R` permits silent failures, returning exit code 0 even if previous targets failed. This bypasses automated permission checks in scripts and CI/CD pipelines.\n\n## Technical Details\n\n- **CWE ID**: CWE-253 (Incorrect Check of Function Return Value)\n- **Attack Vector**: Local (AV:L)\n- **CVSS v3.1**: 5.5 (Medium)\n- **EPSS Score**: 0.00142 (3.90th percentile)\n- **Impact**: Integrity Loss (Silent permission-application bypasses)\n- **Exploit Status**: No public weaponized exploits available\n- **CISA KEV Status**: Not listed\n\n## Affected Systems\n\n- uutils/coreutils\n- **coreutils**: &amp;lt; 0.6.0 (Fixed in: `0.6.0`)\n\n## Mitigation\n\n- Upgrade uutils/coreutils to version 0.6.0 or later.\n- Deconstruct multi-argument recursive chmod operations in scripts into separate commands or chain them with explicit logical operators.\n- Implement defensive post-execution verification checks using test operators or find to validate that target permissions match expectations.\n\n**Remediation Steps:**\n1. Identify systems or container images using Rust uutils/coreutils.\n2. Update coreutils package to version 0.6.0 or higher.\n3. For active CI/CD pipelines, audit bash scripts or Ansible playbooks that invoke chmod with multiple recursive directory targets.\n4. Modify multi-target invocations to single-target invocations linked with '&amp;amp;&amp;amp;' if immediate upgrades are not possible.\n\n## References\n\n- [CVE-2026-35339 Record](https://www.cve.org/CVERecord?id=CVE-2026-35339)\n- [GitHub Pull Request 9793](https://github.com/uutils/coreutils/pull/9793)\n- [Security Fix Commit](https://github.com/uutils/coreutils/commit/abd581f62e97d0b147306ac40eac13af71c6fbba)\n- [uutils coreutils 0.6.0 Release](https://github.com/uutils/coreutils/releases/tag/0.6.0)\n- [Wiz Vulnerability Database Entry](https://www.wiz.io/vulnerability-database/cve/cve-2026-35339)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-35339) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-06T19:41:46.111341Z"}</description>
      <content:encoded>{"uuid": "efccf5d6-9354-4695-9b6a-dd3d3061ee49", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-35339", "type": "seen", "source": "https://gist.github.com/alon710/194b323308c6542ff0a22bb475e2c02f", "content": "# CVE-2026-35339: CVE-2026-35339: Incorrect Exit Status Propagation in Rust uutils/coreutils chmod Recursive Execution\n\n&amp;gt; **CVSS Score:** 5.5\n&amp;gt; **Published:** 2026-07-06\n&amp;gt; **Full Report:** https://cvereports.com/reports/CVE-2026-35339\n\n## Summary\nCVE-2026-35339 is a logic vulnerability in the Rust-written `uutils/coreutils` implementation of the `chmod` utility. When executing recursively (`-R` or `--recursive`) over multiple target paths, the utility fails to accumulate the overall exit status, overwriting error codes from early failures with the status of the final target. This results in false-success exit codes (0), potentially leading security automation and deployment scripts to assume permission modifications succeeded when they actually failed.\n\n## TL;DR\nA 'last-file-wins' logic vulnerability in Rust-based `chmod -R` permits silent failures, returning exit code 0 even if previous targets failed. This bypasses automated permission checks in scripts and CI/CD pipelines.\n\n## Technical Details\n\n- **CWE ID**: CWE-253 (Incorrect Check of Function Return Value)\n- **Attack Vector**: Local (AV:L)\n- **CVSS v3.1**: 5.5 (Medium)\n- **EPSS Score**: 0.00142 (3.90th percentile)\n- **Impact**: Integrity Loss (Silent permission-application bypasses)\n- **Exploit Status**: No public weaponized exploits available\n- **CISA KEV Status**: Not listed\n\n## Affected Systems\n\n- uutils/coreutils\n- **coreutils**: &amp;lt; 0.6.0 (Fixed in: `0.6.0`)\n\n## Mitigation\n\n- Upgrade uutils/coreutils to version 0.6.0 or later.\n- Deconstruct multi-argument recursive chmod operations in scripts into separate commands or chain them with explicit logical operators.\n- Implement defensive post-execution verification checks using test operators or find to validate that target permissions match expectations.\n\n**Remediation Steps:**\n1. Identify systems or container images using Rust uutils/coreutils.\n2. Update coreutils package to version 0.6.0 or higher.\n3. For active CI/CD pipelines, audit bash scripts or Ansible playbooks that invoke chmod with multiple recursive directory targets.\n4. Modify multi-target invocations to single-target invocations linked with '&amp;amp;&amp;amp;' if immediate upgrades are not possible.\n\n## References\n\n- [CVE-2026-35339 Record](https://www.cve.org/CVERecord?id=CVE-2026-35339)\n- [GitHub Pull Request 9793](https://github.com/uutils/coreutils/pull/9793)\n- [Security Fix Commit](https://github.com/uutils/coreutils/commit/abd581f62e97d0b147306ac40eac13af71c6fbba)\n- [uutils coreutils 0.6.0 Release](https://github.com/uutils/coreutils/releases/tag/0.6.0)\n- [Wiz Vulnerability Database Entry](https://www.wiz.io/vulnerability-database/cve/cve-2026-35339)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-35339) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-06T19:41:46.111341Z"}</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/sighting/efccf5d6-9354-4695-9b6a-dd3d3061ee49/export</guid>
      <pubDate>Mon, 06 Jul 2026 19:41:46 +0000</pubDate>
    </item>
  </channel>
</rss>
