diff --git a/NOFORK_NOEXEC.lst b/NOFORK_NOEXEC.lst
index 21a3b41fa..055f9fb24 100644
--- a/NOFORK_NOEXEC.lst
+++ b/NOFORK_NOEXEC.lst
@@ -89,7 +89,7 @@ clear - NOFORK
 cmp - runner
 comm - runner
 conspy - interactive, longterm
-cp - noexec. runner
+cp - noexec. sometimes runner
 cpio - runner
 crond - daemon
 crontab - longterm (runs $EDITOR), leaks: open+xasprintf
@@ -255,7 +255,7 @@ mount - suid
 mountpoint - noexec. leaks: option -n "print dev name": find_block_device -> readdir+xstrdup
 mpstat - longterm: "mpstat 1" runs indefinitely
 mt - hardware
-mv - noexec candidate, runner
+mv - noexec. sometimes runner
 nameif - noexec. openlog(), leaks: config_open2+ioctl_or_perror_and_die
 nbd-client - noexec
 nc - runner
diff --git a/coreutils/cp.c b/coreutils/cp.c
index 5b34c27e7..05c725cd0 100644
--- a/coreutils/cp.c
+++ b/coreutils/cp.c
@@ -26,6 +26,7 @@
 //config:	Also add support for --parents option.
 
 //applet:IF_CP(APPLET_NOEXEC(cp, cp, BB_DIR_BIN, BB_SUID_DROP, cp))
+/* NOEXEC despite cases when it can be a "runner" (cp -r LARGE_DIR NEW_DIR) */
 
 //kbuild:lib-$(CONFIG_CP) += cp.o
 
diff --git a/coreutils/mv.c b/coreutils/mv.c
index 10cbc506f..aeafd1e40 100644
--- a/coreutils/mv.c
+++ b/coreutils/mv.c
@@ -17,7 +17,8 @@
 //config:	help
 //config:	mv is used to move or rename files or directories.
 
-//applet:IF_MV(APPLET(mv, BB_DIR_BIN, BB_SUID_DROP))
+//applet:IF_MV(APPLET_NOEXEC(mv, mv, BB_DIR_BIN, BB_SUID_DROP, mv))
+/* NOEXEC despite cases when it can be a "runner" (mv LARGE_DIR OTHER_FS) */
 
 //kbuild:lib-$(CONFIG_MV) += mv.o