{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35368", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "state": "PUBLISHED", "assignerShortName": "canonical", "dateReserved": "2026-04-02T12:58:56.088Z", "datePublished": "2026-04-22T16:08:48.965Z", "dateUpdated": "2026-04-22T17:48:59.808Z"}, "containers": {"cna": {"title": "uutils coreutils chroot Local Privilege Escalation and chroot Escape in via Name Service Switch (NSS) Injection", "affected": [{"vendor": "Uutils", "product": "coreutils", "platforms": ["Linux", "Unix", "macOS"], "collectionURL": "https://github.com/uutils", "packageName": "coreutils", "repo": "https://github.com/uutils/coreutils", "defaultStatus": "affected"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-426", "description": "CWE-426: Untrusted Search Path", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233: Privilege Escalation"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability exists in the chroot utility of uutils coreutils when using the --userspec option. The utility resolves the user specification via getpwnam() after entering the chroot but before dropping root privileges. On glibc-based systems, this can trigger the Name Service Switch (NSS) to load shared libraries (e.g., libnss_*.so.2) from the new root directory. If the NEWROOT is writable by an attacker, they can inject a malicious NSS module to execute arbitrary code as root, facilitating a full container escape or privilege escalation."}], "references": [{"url": "https://github.com/uutils/coreutils/issues/10327", "tags": ["issue-tracking"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"}}], "credits": [{"lang": "en", "value": "Zellic", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-04-22T16:08:48.965Z"}}, "adp": [{"references": [{"url": "https://github.com/uutils/coreutils/issues/10327", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T17:48:56.293959Z", "id": "CVE-2026-35368", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T17:48:59.808Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35368", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-22T17:48:56.293959Z"}}}], "references": [{"url": "https://github.com/uutils/coreutils/issues/10327", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T17:48:51.326Z"}}], "cna": {"title": "uutils coreutils chroot Local Privilege Escalation and chroot Escape in via Name Service Switch (NSS) Injection", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Zellic"}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233: Privilege Escalation"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/uutils/coreutils", "vendor": "Uutils", "product": "coreutils", "platforms": ["Linux", "Unix", "macOS"], "packageName": "coreutils", "collectionURL": "https://github.com/uutils", "defaultStatus": "affected"}], "references": [{"url": "https://github.com/uutils/coreutils/issues/10327", "tags": ["issue-tracking"]}], "descriptions": [{"lang": "en", "value": "A vulnerability exists in the chroot utility of uutils coreutils when using the --userspec option. The utility resolves the user specification via getpwnam() after entering the chroot but before dropping root privileges. On glibc-based systems, this can trigger the Name Service Switch (NSS) to load shared libraries (e.g., libnss_*.so.2) from the new root directory. If the NEWROOT is writable by an attacker, they can inject a malicious NSS module to execute arbitrary code as root, facilitating a full container escape or privilege escalation."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-426", "description": "CWE-426: Untrusted Search Path"}]}], "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-04-22T16:08:48.965Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35368", "state": "PUBLISHED", "dateUpdated": "2026-04-22T17:48:59.808Z", "dateReserved": "2026-04-02T12:58:56.088Z", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "datePublished": "2026-04-22T16:08:48.965Z", "assignerShortName": "canonical"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability exists in the chroot utility of uutils coreutils when using the --userspec option. The utility resolves the user specification via getpwnam() after entering the chroot but before dropping root privileges. On glibc-based systems, this can trigger the Name Service Switch (NSS) to load shared libraries (e.g., libnss_*.so.2) from the new root directory. If the NEWROOT is writable by an attacker, they can inject a malicious NSS module to execute arbitrary code as root, facilitating a full container escape or privilege escalation."}], "id": "CVE-2026-35368", "lastModified": "2026-04-22T21:23:52.620", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.1, "impactScore": 6.0, "source": "security@ubuntu.com", "type": "Secondary"}]}, "published": "2026-04-22T17:16:40.560", "references": [{"source": "security@ubuntu.com", "url": "https://github.com/uutils/coreutils/issues/10327"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/uutils/coreutils/issues/10327"}], "sourceIdentifier": "security@ubuntu.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-426"}], "source": "security@ubuntu.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T18:05:55.440455+00:00", "value": {"mitigation_remediation": ["Upgrade uutils coreutils to the newest stable release that incorporates the NSS module loading fix.", "Ensure that directories used as NEWROOT are not writable by untrusted users, reducing the chance to inject malicious NSS modules.", "Restrict or disable the --userspec option in chroot, or configure the environment so that getpwnam() resolves users against a trusted directory that does not contain malicious NSS libraries."], "summary": {"action": "Assess Impact", "impact": "Privilege Escalation and Container Escape"}, "threat_synthesis": {"affected_systems": "Uutils coreutils on glibc\u2011based systems is affected when a user can supply a writable NEWROOT directory and invoke chroot with the --userspec option. No specific version range is disclosed, so all releases that have not yet applied the NSS module loading fix are potentially vulnerable.", "description_and_impact": "A vulnerable implementation of the chroot utility in uutils coreutils permits malicious code execution when an attacker\u2011friendly directory is used as the new root. By leveraging the --userspec option, the program resolves user names via getpwnam() after changing into the chroot but before dropping the root privilege. On glibc\u2011based systems the Name Service Switch (NSS) will load shared libraries from the new root, allowing an attacker to supply a forged libnss_*.so.2 that is executed as root. This flaw directly enables local privilege escalation and a potential full container escape.", "risk_and_exploitability": "The CVSS score is 7.2 and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. The attack requires an attacker to control a writable location that can be used as the new root directory and to invoke chroot with the --userspec option. Once those conditions are met, the vulnerable code will load the attacker\u2011supplied NSS module before dropping privileges. Successful exploitation would give the attacker arbitrary code execution as root, enabling complete container escape or privilege escalation. The lack of an exploit score and KEV listing suggests that the vulnerability is not yet widely exploited but the potential impact is significant."}}}}, "created": "2026-04-22T18:15:15.481724+00:00", "updated": "2026-04-22T18:15:15.481735+00:00", "vendors": []}