CVE-2026-35358

low-risk

Published 2026-04-22

The cp utility in uutils coreutils, when performing recursive copies (-R), incorrectly treats character and block device nodes as stream sources rather than preserving them. Because the implementation reads bytes into regular files at the destination instead of using mknod, device semantics are destroyed (e.g., /dev/null becomes a regular file). This behavior can lead to runtime denial of service through disk exhaustion or process hangs when reading from unbounded device nodes.

Do I need to act?

0.01% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.4/10 Medium

LOCAL / LOW complexity

References (4)

https://github.com/uutils/coreutils/issues/9746

https://github.com/uutils/coreutils/pull/11163

https://github.com/uutils/coreutils/releases/tag/0.7.0

https://github.com/uutils/coreutils/issues/9746

/ 100

low-risk

Severity 15/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal