Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
The mktemp utility in uutils coreutils fails to properly handle an empty TMPDIR environment variable. Unlike GNU mktemp, which falls back to /tmp when TMPDIR is an empty string, the uutils implementation treats the empty string as a valid path. This causes temporary files to be created in the current working directory (CWD) instead of the intended secure temporary directory. If the CWD is more permissive or accessible to other users than /tmp, it may lead to unintended information disclosure or unauthorized access to temporary data.
AnalysisAI
mktemp utility in uutils coreutils mishandles empty TMPDIR environment variables by creating temporary files in the current working directory instead of falling back to /tmp, potentially exposing sensitive data if the CWD has overly permissive access controls. Affects uutils coreutils versions prior to 0.6.0 and requires local attacker with limited privileges to manipulate the environment or exploit overly accessible working directories; CVSS 3.3 reflects low severity (local access, limited confidentiality impact) despite information disclosure risk.
Technical ContextAI
The mktemp utility is a POSIX-compliant tool for securely creating temporary files and directories. The vulnerability stems from improper handling of the TMPDIR environment variable (CWE-377: Insecure Temporary File). When TMPDIR is set to an empty string, the uutils implementation treats it as a valid path rather than recognizing it as invalid and falling back to the hardened /tmp directory (as GNU mktemp does). This is a logic error in path resolution: the code likely checks if TMPDIR is set (truthy) without validating that it contains a non-empty path. The result is temporary file creation in the current working directory (CWD), which may have inherited permissions from parent processes, shell configuration, or application defaults-potentially world-readable or writable if the CWD is under /tmp or another shared location.
RemediationAI
Upgrade uutils coreutils to version 0.6.0 or later; this is the vendor-released patch that restores proper TMPDIR fallback behavior matching GNU mktemp semantics. The fix is also available in upstream pull request 10566 (https://github.com/uutils/coreutils/pull/10566) for integration into downstream distributions. Workaround for unpatched systems: explicitly set TMPDIR to /tmp or another secure absolute path in application startup scripts or shell profiles to override any empty environment variable. This requires administrative control and does not protect against intentional TMPDIR manipulation by local attackers with environment modification capabilities. The patch has no known side effects; it only restores POSIX-compliant fallback behavior.
The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex
Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access
Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l
Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f
Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe
Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi
The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file
The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil
The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local
A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op
The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo
Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker
Same weakness CWE-377 – Insecure Temporary File
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24971
GHSA-2cxp-xq3c-mjxx