A vulnerability in the chroot utility of uutils coreutils allows privilege escalation when using the --userspec option. The utility resolves user specifications via getpwnam() after entering chroot but before dropping root privileges. On glibc-based systems, this triggers Name Service Switch (NSS) to load shared libraries from the new root directory. If NEWROOT is writable by an attacker, they can inject malicious NSS modules to execute arbitrary code as root, enabling container escape or privilege escalation.