{"uuid": "ef7ca1ec-067c-47c6-9391-edf60b654e68", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-35371", "type": "seen", "source": "https://gist.github.com/alon710/f5f0c292471d2cc05167d6fa94d49a4e", "content": "# CVE-2026-35371: CVE-2026-35371: Logical Identity Spoofing in uutils coreutils id Utility\n\n&gt; **CVSS Score:** 3.3\n&gt; **Published:** 2026-07-06\n&gt; **Full Report:** https://cvereports.com/reports/CVE-2026-35371\n\n## Summary\nCVE-2026-35371 is a logical validation vulnerability (CWE-451) in the Rust-based GNU coreutils clone (uutils/coreutils). When formatting pretty-print statistics for a process where the real User ID (UID) and effective User ID (EUID) differ, the id utility mistakenly uses the effective Group ID (EGID) to retrieve the effective user name. This mismatch can mislead administrative scripts or system administrators who rely on the command's stdout to verify privilege states.\n\n## TL;DR\nThe Rust-based uutils 'id' utility incorrectly resolves the effective user's name using the effective Group ID (EGID) instead of the effective User ID (EUID) when real and effective IDs differ. This allows local users to spoof their reported username to downstream scripts by manipulating their group context.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-451\n- **Attack Vector**: Local (AV:L)\n- **CVSS Base Score**: 3.3\n- **EPSS Score**: 0.00123\n- **EPSS Percentile**: 2.42%\n- **Impact**: Identity spoofing and downstream script logic bypass\n- **Exploit Status**: Proof of concept\n- **KEV Status**: Not listed\n\n## Affected Systems\n\n- uutils coreutils\n- Ubuntu Linux (with uutils coreutils installed)\n- **uutils coreutils**: All versions prior to the January 2026 fix commit (Fixed in: `Commit addressing issue 10006`)\n\n## Mitigation\n\n- Update uutils coreutils to the latest commit addressing issue 10006\n- Configure critical system scripts to prioritize standard GNU coreutils instead of uutils clone\n- Utilize shell environmental variables like $EUID for authorization verification instead of parsing id CLI stdout\n\n**Remediation Steps:**\n1. Identify any active installations of the Rust-based uutils coreutils id utility.\n2. Apply the patch replacing 'uid2usr(egid)' with 'uid2usr(euid)' in the src/uu/id/src/id.rs file.\n3. Recompile uutils using Cargo.\n4. Audit downstream service scripts for patterns parsing the stdout of 'id' command directly.\n\n## References\n\n- [Official Issue Tracking Page](https://github.com/uutils/coreutils/issues/10006)\n- [CVE.org Authority Portal](https://www.cve.org/CVERecord?id=CVE-2026-35371)\n- [NVD Authority Record](https://nvd.nist.gov/vuln/detail/CVE-2026-35371)\n- [Wiz Vulnerability Database Advisory](https://www.wiz.io/vulnerability-database/cve/cve-2026-35371)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-35371) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-06T20:12:01.360718Z"}