EXECUTIVE SUMMARY:
CVE-2026-35358 with a CVSS score of 4.4 is a resource consumption vulnerability affecting the rust/uu_cp package in versions. This technical flaw arises because the utility incorrectly processes character and block device nodes during recursive copy operations, specifically reading bytes into regular files at the destination rather than utilizing the mknod system call to preserve device semantics. An attacker with local access and low privileges can exploit this issue by executing recursive commands that target these device nodes, requiring no user interaction to trigger the behavior. This capability allows the attacker to destroy device semantics, such as converting /dev/null into a regular file, which leads to a denial of service. The business impact includes potential operational downtime resulting from disk space exhaustion or process hangs when the system attempts to read from unbounded device nodes. Successful exploitation is contingent upon the targeted system executing recursive copies and the presence of accessible device nodes within the file system hierarchy.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-35358 with a CVSS score of 4.4 is a resource consumption vulnerability affecting the rust/uu_cp package in versions. This technical flaw arises because the utility incorrectly processes character and block device nodes during recursive copy operations, specifically reading bytes into regular files at the destination rather than utilizing the mknod system call to preserve device semantics. An attacker with local access and low privileges can exploit this issue by executing recursive commands that target these device nodes, requiring no user interaction to trigger the behavior. This capability allows the attacker to destroy device semantics, such as converting /dev/null into a regular file, which leads to a denial of service. The business impact includes potential operational downtime resulting from disk space exhaustion or process hangs when the system attempts to read from unbounded device nodes. Successful exploitation is contingent upon the targeted system executing recursive copies and the presence of accessible device nodes within the file system hierarchy.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-8vrf-r662-2w2v