CVE-2026-35369 MEDIUM

CVE-2026-35369: uutils coreutils kill System-wide Process Termination and Denial of Service via Argument Misinterpretation

Vendor Uutils
Product coreutils
Weakness CWE-20 · Input validation
Published April 22, 2026
Last update April 22, 2026
View on NVD All CVEs

CVSS base score

5.5/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

An argument parsing error in the kill utility of uutils coreutils incorrectly interprets kill -1 as a request to send the default signal (SIGTERM) to PID -1. Sending a signal to PID -1 causes the kernel to terminate all processes visible to the caller, potentially leading to a system crash or massive process termination. This differs from GNU coreutils, which correctly recognizes -1 as a signal number in this context and would instead report a missing PID argument.

Key dates

02Disclosure timeline

April 22, 2026 CVE published
April 22, 2026 Record updated