Skip to main content

uutils coreutils CVE-2026-35359

| EUVDEUVD-2026-25000 MEDIUM
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-04-22 canonical
4.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 23, 2026 - 07:04 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 16:31 euvd
EUVD-2026-25000
Analysis Generated
Apr 22, 2026 - 16:31 vuln.today
CVE Published
Apr 22, 2026 - 16:08 nvd
MEDIUM 4.7

DescriptionCVE.org

A Time-of-Check to Time-of-Use (TOCTOU) vulnerability in the cp utility of uutils coreutils allows an attacker to bypass no-dereference intent. The utility checks if a source path is a symbolic link using path-based metadata but subsequently opens it without the O_NOFOLLOW flag. An attacker with concurrent write access can swap a regular file for a symbolic link during this window, causing a privileged cp process to copy the contents of arbitrary sensitive files into a destination controlled by the attacker.

AnalysisAI

Time-of-Check to Time-of-Use (TOCTOU) vulnerability in uutils coreutils cp utility allows local attackers with write access to bypass no-dereference protections and read arbitrary sensitive files. The cp command checks symbolic link status via metadata but opens files without O_NOFOLLOW, permitting race condition exploitation where an attacker swaps a regular file for a symbolic link between check and use, causing a privileged cp process to copy sensitive file contents to attacker-controlled destinations. Publicly available exploit code exists; SSVC framework indicates partial technical impact with non-automatable exploitation.

Technical ContextAI

The vulnerability exists in the cp utility's file-copying logic, specifically in how it handles symbolic links when the no-dereference (--no-dereference or -P) option is intended. uutils coreutils uses a path-based metadata check (likely via lstat or similar) to determine whether a source is a symbolic link, but then opens and reads the file descriptor without the O_NOFOLLOW flag. This creates a race window where an attacker with concurrent write access to the filesystem can replace a regular file with a symbolic link after the check but before the open. The underlying issue (CWE-367: Improper Restriction of Rendered UI Layers or Frames) manifests as a time-of-check-time-of-use (TOCTOU) race condition in privilege escalation contexts. When cp runs with elevated privileges and an attacker has write access to the source or parent directory, this race can be exploited to cause cp to follow the symbolic link and copy sensitive files (e.g., /etc/shadow) to an attacker-controlled location.

RemediationAI

Apply the vendor-released patch from uutils coreutils that addresses the TOCTOU race condition in cp by implementing O_NOFOLLOW flag usage during file operations, ensuring symbolic links are not followed even after an initial metadata check. Consult https://github.com/uutils/coreutils/issues/10017 and https://nvd.nist.gov/vuln/detail/CVE-2026-35359 for specific patched version numbers and upgrade instructions. Until patching is possible, implement filesystem-level mitigations: restrict write permissions on directories containing files processed by privileged cp operations (e.g., remove write access for unprivileged users to /etc or other system directories being backed up), use SELinux or AppArmor policies to confine privileged cp processes and limit file access to intended paths, or avoid invoking cp with elevated privileges on user-writable directories. Additionally, monitor for suspicious symbolic link creation attempts in directories being copied by system processes using auditd (audit -w /path/to/monitor -p wa -k symlink_watch). These compensating controls reduce exposure but do not fully eliminate the race window; patching remains the primary mitigation.

CVE-2014-9471 HIGH POC
7.5 Jan 16

The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex

CVE-2026-35368 HIGH
7.8 Apr 22

Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access

CVE-2026-35338 HIGH POC
7.3 Apr 22

Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l

CVE-2026-35341 HIGH POC
7.1 Apr 22

Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f

CVE-2026-35352 HIGH
7.0 Apr 22

Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe

CVE-2026-35349 MEDIUM
6.7 Apr 22

Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi

CVE-2026-35365 MEDIUM
6.6 Apr 22

The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file

CVE-2026-35350 MEDIUM
6.6 Apr 22

The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil

CVE-2026-35374 MEDIUM
6.3 Apr 22

The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local

CVE-2026-35364 MEDIUM
6.3 Apr 22

A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op

CVE-2026-35360 MEDIUM
6.3 Apr 22

The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo

CVE-2026-35356 MEDIUM
6.3 Apr 22

Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker

Share

CVE-2026-35359 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy