uutils coreutils id Misleading Identity Reporting in Pretty Print Mode
Summary
| CVE | CVE-2026-35371 |
|---|---|
| State | PUBLISHED |
| Assigner | canonical |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-04-22 17:16:40 UTC |
| Updated | 2026-04-22 21:23:52 UTC |
| Description | The id utility in uutils coreutils exhibits incorrect behavior in its "pretty print" output when the real UID and effective UID differ. The implementation incorrectly uses the effective GID instead of the effective UID when performing a name lookup for the effective user. This results in misleading diagnostic output that can cause automated scripts or system administrators to make incorrect decisions regarding file permissions or access control. |
Risk And Classification
Primary CVSS: v3.1 3.3 LOW from [email protected]
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Problem Types: CWE-451 | CWE-451 CWE-451: User Interface (UI) Misrepresentation of Critical Information
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Secondary | 3.3 | LOW | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
| 3.1 | CNA | CVSS | 3.3 | LOW | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
CVSS v3.1 Breakdown
Attack Vector
LocalAttack Complexity
LowPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
LowAvailability
NoneCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/uutils/coreutils/issues/10006 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Zellic (en)
There are currently no legacy QID mappings associated with this CVE.