Severity by source
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mkfifo utility of uutils coreutils. The utility creates a FIFO and then performs a path-based chmod to set permissions. A local attacker with write access to the parent directory can swap the newly created FIFO for a symbolic link between these two operations. This redirects the chmod call to an arbitrary file, potentially enabling privilege escalation if the utility is run with elevated privileges.
AnalysisAI
Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file permissions on arbitrary system files. A TOCTOU race condition between FIFO creation and permission setting enables symlink swapping attacks, redirecting chmod operations to unintended targets. SSVC framework indicates proof-of-concept exists with total technical impact. While CVSS rates this 7.0 (High), exploitation requires high attack complexity (race condition timing), low privileges, and write access to the parent directory where mkfifo is executed - most impactful when the utility runs with elevated privileges in automated scripts or system processes. No active exploitation confirmed (not in CISA KEV); EPSS data not available.
Technical ContextAI
This vulnerability affects the mkfifo utility in uutils coreutils, a cross-platform Rust reimplementation of GNU coreutils. The flaw is a classic Time-of-Check to Time-of-Use (TOCTOU) race condition (CWE-367), where a non-atomic sequence of file operations creates an exploitable window. The vulnerable code path performs: (1) FIFO creation at a specified path, then (2) a separate path-based chmod syscall to set permissions. Between these operations, the filesystem entry can be replaced. When an attacker with write access to the parent directory detects the FIFO creation, they can atomically unlink it and create a symbolic link with the same name pointing to a privileged file (e.g., /etc/passwd, /etc/shadow, or SUID binaries). The subsequent chmod then follows the symlink, inadvertently modifying permissions on the attacker-controlled target. This is particularly dangerous in environments where mkfifo runs as root or within privileged automation contexts.
RemediationAI
Upstream fix available through GitHub issue tracking (https://github.com/uutils/coreutils/issues/10020), but released patched version number not independently confirmed from available data - monitor the GitHub repository for tagged release incorporating the fix. Once released, upgrade uutils coreutils to the patched version immediately if deployed in privileged contexts. Interim compensating controls: (1) Avoid running mkfifo with elevated privileges in automated scripts; if necessary, use unprivileged processes and employ capability-based security to limit damage scope. (2) Ensure mkfifo operations occur only in directories with restricted write permissions (not world-writable or user-writable temp directories); use private temporary directories with mode 0700 owned by the executing process. (3) If feasible, switch to GNU coreutils mkfifo implementation which may use file descriptor-based chmod (fchmod) avoiding the TOCTOU condition, though verify your distribution's implementation. (4) Implement filesystem monitoring (inotify/fanotify) to detect rapid unlink/create sequences in critical directories where mkfifo executes, though this adds performance overhead. Note that restricting directory permissions is the most practical mitigation but may break existing workflows where users legitimately need to create FIFOs in shared spaces.
The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex
Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access
Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l
Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f
Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi
The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file
The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil
The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local
A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op
The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo
Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker
Time-of-Check to Time-of-Use (TOCTOU) race condition in uutils coreutils install utility allows local authenticated atta
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24986
GHSA-9gh9-hwpr-rvqq