{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35365", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "state": "PUBLISHED", "assignerShortName": "canonical", "dateReserved": "2026-04-02T12:58:56.088Z", "datePublished": "2026-04-22T16:08:41.136Z", "dateUpdated": "2026-04-22T17:59:34.571Z"}, "containers": {"cna": {"title": "uutils coreutils mv Denial of Service and Data Duplication via Improper Symlink Expansion", "affected": [{"vendor": "Uutils", "product": "coreutils", "platforms": ["Linux", "Unix", "macOS"], "collectionURL": "https://github.com/uutils", "packageName": "coreutils", "repo": "https://github.com/uutils/coreutils", "versions": [{"status": "affected", "lessThan": "0.7.0", "version": "0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-59", "description": "CWE-59: Improper Link Resolution Before File Access ('Link Following')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-132", "descriptions": [{"lang": "en", "value": "CAPEC-132: Symlink Attack"}]}], "descriptions": [{"lang": "en", "value": "The mv utility in uutils coreutils improperly handles directory trees containing symbolic links during moves across filesystem boundaries. Instead of preserving symlinks, the implementation expands them, copying the linked targets as real files or directories at the destination. This can lead to resource exhaustion (disk space or time) if symlinks point to large external directories, unexpected duplication of sensitive data into unintended locations, or infinite recursion and repeated copying in the presence of symlink loops."}], "references": [{"url": "https://github.com/uutils/coreutils/pull/10546", "tags": ["issue-tracking", "patch"]}, {"url": "https://github.com/uutils/coreutils/releases/tag/0.7.0", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "LOW", "baseSeverity": "MEDIUM", "baseScore": 6.6, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L"}}], "credits": [{"lang": "en", "value": "Zellic", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-04-22T16:08:41.136Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T17:59:28.819706Z", "id": "CVE-2026-35365", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T17:59:34.571Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The mv utility in uutils coreutils improperly handles directory trees containing symbolic links during moves across filesystem boundaries. Instead of preserving symlinks, the implementation expands them, copying the linked targets as real files or directories at the destination. This can lead to resource exhaustion (disk space or time) if symlinks point to large external directories, unexpected duplication of sensitive data into unintended locations, or infinite recursion and repeated copying in the presence of symlink loops."}], "id": "CVE-2026-35365", "lastModified": "2026-04-22T17:16:39.900", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 4.7, "source": "security@ubuntu.com", "type": "Secondary"}]}, "published": "2026-04-22T17:16:39.900", "references": [{"source": "security@ubuntu.com", "url": "https://github.com/uutils/coreutils/pull/10546"}, {"source": "security@ubuntu.com", "url": "https://github.com/uutils/coreutils/releases/tag/0.7.0"}], "sourceIdentifier": "security@ubuntu.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-59"}], "source": "security@ubuntu.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T18:06:56.247388+00:00", "value": {"mitigation_remediation": ["Update to the latest uutils coreutils release that addresses the symlink expansion issue.", "Avoid moving directory trees that contain symbolic links, especially when the links may point to large or sensitive external directories.", "If upgrading is not feasible, restrict mv usage to directories verified to lack symlink loops or large external targets, or use a tool that preserves symlinks without expanding them."], "summary": {"action": "Assess Impact", "impact": "Denial of Service and Data Duplication"}, "threat_synthesis": {"affected_systems": "The affected product is Uutils coreutils; specific version information is not provided. Any installation of this utility that exhibits the described behavior may be vulnerable.", "description_and_impact": "The mv utility in uutils coreutils incorrectly expands symbolic links when moving directories across filesystem boundaries, instead of preserving them. This behavior can cause disk space exhaustion or overly long execution when symlinks point to large external directories, duplicate sensitive data into unintended locations, or trigger infinite recursion due to symlink loops. The vulnerability is classified as CWE\u201159 and results in denial of service and potential data leakage. The likely attack vector is that an attacker controls a source directory containing such symlinks and uses mv to move it, either manually or via a malicious script.", "risk_and_exploitability": "The CVSS score of 6.6 indicates a moderate severity. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting no publicly known large\u2011scale exploitation yet. Nonetheless, a local user with the ability to arrange a symlink\u2011heavy directory tree can exploit the flaw to exhaust disk resources or create redundant copies of data. The impact is confined to the host where mv is executed, but can cause significant resource depletion and inadvertent data exposure."}}}}, "created": "2026-04-22T18:15:15.482498+00:00", "updated": "2026-04-22T18:15:15.482508+00:00", "vendors": []}