Severity by source
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
A Time-of-Check to Time-of-Use (TOCTOU) vulnerability in the cp utility of uutils coreutils allows an attacker to bypass no-dereference intent. The utility checks if a source path is a symbolic link using path-based metadata but subsequently opens it without the O_NOFOLLOW flag. An attacker with concurrent write access can swap a regular file for a symbolic link during this window, causing a privileged cp process to copy the contents of arbitrary sensitive files into a destination controlled by the attacker.
AnalysisAI
Time-of-Check to Time-of-Use (TOCTOU) vulnerability in uutils coreutils cp utility allows local attackers with write access to bypass no-dereference protections and read arbitrary sensitive files. The cp command checks symbolic link status via metadata but opens files without O_NOFOLLOW, permitting race condition exploitation where an attacker swaps a regular file for a symbolic link between check and use, causing a privileged cp process to copy sensitive file contents to attacker-controlled destinations. Publicly available exploit code exists; SSVC framework indicates partial technical impact with non-automatable exploitation.
Technical ContextAI
The vulnerability exists in the cp utility's file-copying logic, specifically in how it handles symbolic links when the no-dereference (--no-dereference or -P) option is intended. uutils coreutils uses a path-based metadata check (likely via lstat or similar) to determine whether a source is a symbolic link, but then opens and reads the file descriptor without the O_NOFOLLOW flag. This creates a race window where an attacker with concurrent write access to the filesystem can replace a regular file with a symbolic link after the check but before the open. The underlying issue (CWE-367: Improper Restriction of Rendered UI Layers or Frames) manifests as a time-of-check-time-of-use (TOCTOU) race condition in privilege escalation contexts. When cp runs with elevated privileges and an attacker has write access to the source or parent directory, this race can be exploited to cause cp to follow the symbolic link and copy sensitive files (e.g., /etc/shadow) to an attacker-controlled location.
RemediationAI
Apply the vendor-released patch from uutils coreutils that addresses the TOCTOU race condition in cp by implementing O_NOFOLLOW flag usage during file operations, ensuring symbolic links are not followed even after an initial metadata check. Consult https://github.com/uutils/coreutils/issues/10017 and https://nvd.nist.gov/vuln/detail/CVE-2026-35359 for specific patched version numbers and upgrade instructions. Until patching is possible, implement filesystem-level mitigations: restrict write permissions on directories containing files processed by privileged cp operations (e.g., remove write access for unprivileged users to /etc or other system directories being backed up), use SELinux or AppArmor policies to confine privileged cp processes and limit file access to intended paths, or avoid invoking cp with elevated privileges on user-writable directories. Additionally, monitor for suspicious symbolic link creation attempts in directories being copied by system processes using auditd (audit -w /path/to/monitor -p wa -k symlink_watch). These compensating controls reduce exposure but do not fully eliminate the race window; patching remains the primary mitigation.
The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex
Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access
Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l
Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f
Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe
Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi
The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file
The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil
The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local
A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op
The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo
Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25000