Skip to main content

uutils coreutils CVE-2026-35353

| EUVDEUVD-2026-24988 LOW
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
3.3
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.3 LOW
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
Apr 23, 2026 - 07:00 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 16:31 euvd
EUVD-2026-24988
Analysis Generated
Apr 22, 2026 - 16:31 vuln.today
Patch released
Apr 22, 2026 - 16:31 nvd
Patch available
CVE Published
Apr 22, 2026 - 16:08 nvd
LOW 3.3

DescriptionCVE.org

The mkdir utility in uutils coreutils incorrectly applies permissions when using the -m flag by creating a directory with umask-derived permissions (typically 0755) before subsequently changing them to the requested mode via a separate chmod system call. In multi-user environments, this introduces a brief window where a directory intended to be private is accessible to other users, potentially leading to unauthorized data access.

AnalysisAI

The mkdir utility in uutils coreutils creates directories with default umask-derived permissions (0755) before applying the requested mode via chmod, creating a race condition window where a directory intended to be private becomes briefly accessible to other local users. This affects uutils coreutils versions prior to 0.6.0 and requires local authenticated access to exploit, limiting real-world impact despite the CVSS score of 3.3.

Technical ContextAI

The vulnerability stems from a Time-of-Check-Time-of-Use (TOCTOU) race condition in the mkdir implementation. When the -m flag is used to specify directory permissions, the utility creates the directory with default umask-derived permissions (typically 0755, world-readable) and subsequently calls chmod to set the requested restrictive mode. In multi-user systems, an unprivileged local process can race to access the directory contents during this brief window before chmod is applied. The root cause is classified under CWE-367 (Time-of-check Time-of-use TOCTOU Race Condition), a common synchronization vulnerability in file operations. The affected product (uutils coreutils) is a Rust-based reimplementation of GNU coreutils utilities.

RemediationAI

Vendor-released patch: upgrade uutils coreutils to version 0.6.0 or later. The upstream fix (GitHub PR #10036) modifies mkdir to apply permissions atomically using the mode parameter in the mkdir system call itself, eliminating the TOCTOU window entirely. For environments unable to upgrade immediately, the primary compensating control is to restrict use of mkdir with -m flags to trusted administrators only by removing or restricting user access to the uutils coreutils mkdir binary via filesystem permissions (e.g., chmod 750 on the mkdir binary). This prevents unprivileged users from creating directories with custom permissions, though it may impact workflow if users legitimately need this functionality. Alternative mitigation for high-security deployments involves using AppArmor or SELinux policies to prevent concurrent access to the same directory paths during mkdir operations, but this adds significant operational complexity.

CVE-2014-9471 HIGH POC
7.5 Jan 16

The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex

CVE-2026-35368 HIGH
7.8 Apr 22

Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access

CVE-2026-35338 HIGH POC
7.3 Apr 22

Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l

CVE-2026-35341 HIGH POC
7.1 Apr 22

Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f

CVE-2026-35352 HIGH
7.0 Apr 22

Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe

CVE-2026-35349 MEDIUM
6.7 Apr 22

Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi

CVE-2026-35365 MEDIUM
6.6 Apr 22

The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file

CVE-2026-35350 MEDIUM
6.6 Apr 22

The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil

CVE-2026-35374 MEDIUM
6.3 Apr 22

The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local

CVE-2026-35364 MEDIUM
6.3 Apr 22

A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op

CVE-2026-35360 MEDIUM
6.3 Apr 22

The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo

CVE-2026-35356 MEDIUM
6.3 Apr 22

Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker

Share

CVE-2026-35353 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy