CVE-2026-35338: uu_chmod --preserve-root Bypass via Unresolved Path
The Rust rewrite of chmod trusts the raw argument string rather than the resolved filesystem path, so passing '/../' instead of '/' silently bypasses the --preserve-root guard and lets a recursive chm
The problem
Chmoder::chmod() in uu_chmod compares the user-supplied argument directly against Path::new("/"). Any path that resolves to root but does not look exactly like "/" in string form skips the guard entirely.
The two confirmed bypass forms are the dot-dot path /../ and any symlink whose target is /. Either one, combined with -R, lets chmod operate on every file on the system. The impact is complete: permissions wiped, system unbootable.
Proof of concept
A working proof-of-concept for CVE-2026-35338 in uu_chmod, with the exact payload below.
chmod -R --preserve-root 000 /../The vulnerable comparison is a literal string check: file == Path::new("/"). Because /../ normalizes to / at the kernel level but is a different byte sequence, the check never fires.
The fix in commit 413055b3 (PR #10033) calls fs::canonicalize() on the argument before the comparison, resolving symlinks and dot-dot segments into their real absolute path. Only after canonicalization does the code check whether the result equals /. The same pattern (missing pre-comparison canonicalization) maps to CWE-22 (Path Traversal) and CWE-59 (Link Following).
The fix
Upgrade uu_chmod (uutils coreutils) to 0.6.0 or later. The fix is in commit 413055b378fa6fe2299c5e5f538c8e6e841ab810. If you cannot upgrade immediately, avoid running chmod -R --preserve-root with any path supplied by an untrusted caller, and validate arguments with realpath(1) before passing them to the binary.
Reported by Zellic (uutils coreutils Program Security Assessment for Canonical, Jan 2026).
Related research
- high · 7.1CVE-2026-50163CVE-2026-50163: oras-go Hardlink Path Traversal via CWD Resolution
- high · 8.1SurrealDB HTTP RPC Session Race Condition Allows Privilege Escalation
- critical · 9.6CVE-2026-54352CVE-2026-54352: @budibase/server Arbitrary File Read via PWA ZIP Symlink
- criticalCVE-2026-52811CVE-2026-52811: Gogs UploadRepoFiles Arbitrary File Write via Parent Symlink