Chroot Vulnerability Allows Root Privileges via Malicious NSS Modules
The National Vulnerability Database has identified CVE-2026-35368, a critical flaw in the uutils coreutils chroot utility. The vulnerability arises when the –userspec option is used. The system resolves user specifications using getpwnam() after entering the chroot but before dropping root privileges. On glibc-based systems, this sequence can be exploited. The Name Service Switch (NSS) mechanism may load shared libraries from the newly established root directory. If an attacker can write to this NEWROOT, they can plant a malicious NSS module. This module then executes arbitrary code with root privileges, enabling a full container escape or significant privilege escalation.
The National Vulnerability Database highlights a CVSS score of 7.8 (HIGH) for this issue. The attack vector is local (AV:L), requires low privileges (PR:L), and has a high complexity (AC:H). Crucially, it allows for significant system modification (S:C) leading to complete confidentiality, integrity, and availability compromise (C:H/I:H/A:H). This means a compromised system could be fully taken over.
Defenders must prioritize patching or updating uutils coreutils to mitigate CVE-2026-35368. For containerized environments, strict controls on write access to new root directories are essential. Auditing the Name Service Switch configuration and loaded modules within chroot environments can also provide early detection of malicious activity. Understanding the attacker’s calculus here is simple: gain initial limited access, then leverage this chroot flaw for full root compromise.
What This Means For You
- If your environment uses uutils coreutils and the chroot utility, especially within containers or with user-specified configurations, you must urgently verify your software versions and apply necessary patches. Audit any chroot deployments for write permissions on the target directory and review NSS configurations for unauthorized modules.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Privilege Escalation via Malicious NSS Module in Chroot - CVE-2026-35368
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-35368 | Privilege Escalation | uutils coreutils chroot utility --userspec option |
| CVE-2026-35368 | RCE | Malicious NSS module injection via writable NEWROOT in chroot |
| CVE-2026-35368 | Container Escape | uutils coreutils chroot utility --userspec option with malicious NSS module |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 22, 2026 at 20:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related Posts
CVE-2026-34066 — nimiq-blockchain provides persistent block storage for
CVE-2026-34066 — nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation. Prior to version 1.3.0, `HistoryStore::put_historic_txns` uses an `assert!` to enforce invariants about `HistoricTransaction.block_number` (must...
Nimiq Primitives Node Panic via Malformed BLS Key
CVE-2026-34065 — nimiq-primitives contains primitives (e.g., block, account, transaction) to be used in Nimiq's Rust implementation. Prior to version 1.3.0, an untrusted p2p peer can...
CVE-2026-34064 — nimiq-account contains account primitives to be used in
CVE-2026-34064 — nimiq-account contains account primitives to be used in Nimiq's Rust implementation. Prior to version 1.3.0, `VestingContract::can_change_balance` returns `AccountError::InsufficientFunds` when `new_balance < min_cap`, but...