uutils coreutils CVE-2026-35353

| EUVD-2026-24988 LOW
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-04-22 canonical GHSA-vf87-345h-9qhx
Authentication Bypass
3.3
CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Apr 23, 2026 - 07:00 vuln.today

DescriptionNVD

The mkdir utility in uutils coreutils incorrectly applies permissions when using the -m flag by creating a directory with umask-derived permissions (typically 0755) before subsequently changing them to the requested mode via a separate chmod system call. In multi-user environments, this introduces a brief window where a directory intended to be private is accessible to other users, potentially leading to unauthorized data access.

AnalysisAI

The mkdir utility in uutils coreutils creates directories with default umask-derived permissions (0755) before applying the requested mode via chmod, creating a race condition window where a directory intended to be private becomes briefly accessible to other local users. This affects uutils coreutils versions prior to 0.6.0 and requires local authenticated access to exploit, limiting real-world impact despite the CVSS score of 3.3.

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-35353 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy