Skip to main content

uutils coreutils CVE-2026-35345

| EUVDEUVD-2026-24977 MEDIUM
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-04-22 canonical GHSA-xf75-659h-cgg5
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 23, 2026 - 00:18 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 16:31 euvd
EUVD-2026-24977
Analysis Generated
Apr 22, 2026 - 16:31 vuln.today
CVE Published
Apr 22, 2026 - 16:07 nvd
MEDIUM 5.3

DescriptionCVE.org

A vulnerability in the tail utility of uutils coreutils allows for the exfiltration of sensitive file contents when using the --follow=name option. Unlike GNU tail, the uutils implementation continues to monitor a path after it has been replaced by a symbolic link, subsequently outputting the contents of the link's target. In environments where a privileged user (e.g., root) monitors a log directory, a local attacker with write access to that directory can replace a log file with a symlink to a sensitive system file (such as /etc/shadow), causing tail to disclose the contents of the sensitive file.

AnalysisAI

The tail utility in uutils coreutils discloses sensitive file contents through improper symlink handling when using the --follow=name option. Unlike GNU tail, uutils continues monitoring a file path after it has been replaced with a symbolic link, causing it to output the contents of the link's target. A local attacker with write access to a monitored directory can exploit this to exfiltrate sensitive system files such as /etc/shadow when a privileged user (e.g., root) runs tail in follow mode. Publicly available exploit code exists, and the vulnerability requires local access and specific deployment conditions (privileged tail process monitoring user-writable directories).

Technical ContextAI

The tail utility implements file monitoring via the --follow=name option, which is intended to track changes to a named file path even if the underlying inode is replaced (in contrast to --follow=descriptor, which tracks the open file descriptor). The vulnerability stems from a race condition rooted in CWE-367 (Time-of-check Time-of-use), where uutils fails to verify whether the path refers to a symlink after the initial check but before reading from it. GNU tail mitigates this by refusing to follow symlinks in --follow=name mode, but uutils does not implement this safeguard. The affected product is identified by CPE cpe:2.3:a:uutils:coreutils:*:*:*:*:*:*:*:*, indicating all versions of the uutils coreutils package are potentially vulnerable.

RemediationAI

Patch the uutils coreutils installation to a version that implements symlink detection in --follow=name mode, matching the behavior of GNU tail. Exact patched version numbers are not provided in the available data; check the GitHub repository at https://github.com/uutils/coreutils/issues/10328 and the NVD advisory at https://nvd.nist.gov/vuln/detail/CVE-2026-35345 for the specific release that addresses this issue. As a compensating control in systems where patching is delayed, restrict write access to directories monitored by privileged tail processes - use filesystem permissions to prevent unprivileged users from creating or replacing files in log directories (e.g., chmod 755 /var/log with owned-by-root files). This reduces the attack surface but may impact legitimate log rotation workflows. Alternatively, deploy monitoring processes with the principle of least privilege, running tail as an unprivileged user rather than root if operationally feasible. If uutils coreutils is critical to your environment, consider switching to GNU coreutils (which is not affected) as a temporary mitigation, though this may require code changes if uutils-specific features are in use.

CVE-2014-9471 HIGH POC
7.5 Jan 16

The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex

CVE-2026-35368 HIGH
7.8 Apr 22

Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access

CVE-2026-35338 HIGH POC
7.3 Apr 22

Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l

CVE-2026-35341 HIGH POC
7.1 Apr 22

Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f

CVE-2026-35352 HIGH
7.0 Apr 22

Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe

CVE-2026-35349 MEDIUM
6.7 Apr 22

Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi

CVE-2026-35365 MEDIUM
6.6 Apr 22

The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file

CVE-2026-35350 MEDIUM
6.6 Apr 22

The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil

CVE-2026-35374 MEDIUM
6.3 Apr 22

The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local

CVE-2026-35364 MEDIUM
6.3 Apr 22

A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op

CVE-2026-35360 MEDIUM
6.3 Apr 22

The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo

CVE-2026-35356 MEDIUM
6.3 Apr 22

Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker

Share

CVE-2026-35345 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy