2460775 – (CVE-2026-35370) CVE-2026-35370 rust-coreutils: id: incorrect access-control decisions via misrepresented group membership

Bug 2460775 (CVE-2026-35370) - CVE-2026-35370 rust-coreutils: id: incorrect access-control decisions via misrepresented group membership

Summary: CVE-2026-35370 rust-coreutils: id: incorrect access-control decisions via mis...

Keywords:
Status:	NEW
Alias:	CVE-2026-35370
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2461670 2461671
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-22 17:02 UTC by OSIDB Bzimport
Modified:	2026-04-24 19:57 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-22 17:02:00 UTC

The id utility in uutils coreutils miscalculates the groups= section of its output. The implementation uses a user's real GID instead of their effective GID to compute the group list, leading to potentially divergent output compared to GNU coreutils. Because many scripts and automated processes rely on the output of id to make security-critical access-control or permission decisions, this discrepancy can lead to unauthorized access or security misconfigurations.

Note You need to log in before you can comment on or make changes to this bug.