CVE-2026-35368

HIGH EPSS 3.4%

Published Apr 22, 20262mo ago · Modified Jun 17, 20261w ago

7.8 CVSS 3.1

High

Published Apr 22, 2026 2mo ago

Last Modified Jun 17, 2026 1w ago

Description

A vulnerability exists in the chroot utility of uutils coreutils when using the --userspec option. The utility resolves the user specification via getpwnam() after entering the chroot but before dropping root privileges. On glibc-based systems, this can trigger the Name Service Switch (NSS) to load shared libraries (e.g., libnss_*.so.2) from the new root directory. If the NEWROOT is writable by an attacker, they can inject a malicious NSS module to execute arbitrary code as root, facilitating a full container escape or privilege escalation.

CVSS Details

Base Score

7.8

Exploitability

1.1

Impact

6.0

Vector string

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector Local

Attack Complexity High

Privileges Required Low

User Interaction None

Scope Changed

Confidentiality High

Integrity High

Availability High

Threat Intelligence

EPSS Exploit Probability

3.4% percentile

Exploit & Patch Status

Public Exploit Known

No Patch Available

Weaknesses 1

CWE-426

Affected Products 1

Vendor	Product	Version	Range
uutils	coreutils	*	any

References 1

github.com https://github.com/uutils/coreutils/issues/10327

ExploitIssue TrackingVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.