uutils coreutils Symbolic Link Handling Vulnerability in mv Utility

A vulnerability exists in the mv utility of uutils coreutils version 0.7.0, released on March 8, 2026. The issue arises when moving directory trees that contain symbolic links across different filesystem boundaries. Instead of maintaining the symlinks, the utility expands them, copying the linked targets as actual files or directories at the destination. This behavior can cause resource exhaustion, such as excessive disk space usage or prolonged operation times, especially if the symlinks reference large external directories. Additionally, it may lead to unintended duplication of sensitive data in inappropriate locations or trigger infinite recursion and repeated copying when symlink loops are present.

Impact

Exploitation of this vulnerability can result in resource exhaustion, either by consuming excessive disk space or causing prolonged operation times. This is particularly problematic if symbolic links point to large external directories. The vulnerability also risks unintended duplication of sensitive data into inappropriate locations or could cause infinite recursion and repeated copying in the presence of symlink loops.

Reproduction

To reproduce this vulnerability, create a directory tree that includes symbolic links pointing to large external directories or that form loops. Then, use the mv utility to move this directory tree across filesystem boundaries. Observe that instead of preserving the symbolic links, the utility copies the linked targets as real files or directories, potentially leading to resource exhaustion or other unintended consequences.

Remediation

Users can update to uutils coreutils version 0.7.0 or later, where this vulnerability has been addressed.