Severity by source
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
The touch utility in uutils coreutils is vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition during file creation. When the utility identifies a missing path, it later attempts creation using File::create(), which internally uses O_TRUNC. An attacker can exploit this window to create a file or swap a symlink at the target path, causing touch to truncate an existing file and leading to permanent data loss.
AnalysisAI
The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows local attackers with user-level privileges to truncate arbitrary files and cause permanent data loss. The vulnerability exists in the window between when touch checks for a missing file and when it attempts file creation with O_TRUNC flag; an attacker can inject a symlink or create a file at the target path during this interval, causing touch to truncate an existing file that the attacker controls. SSVC framework indicates exploitation is possible via proof-of-concept code, though automation is not feasible due to race condition complexity.
Technical ContextAI
The vulnerability stems from a classic TOCTOU race condition (CWE-367) in file handling logic. The touch utility performs a check to determine if a file path exists, then later invokes File::create() which internally opens the file with O_TRUNC flag (truncate on open). Between the existence check and file creation, an attacker in the same system can create a symlink pointing to a sensitive file or create a regular file at the target path. When touch subsequently calls File::create() with O_TRUNC, it truncates whatever file now occupies that path - potentially a legitimate file the attacker has linked to via symlink. This is a fundamental file operation sequencing flaw in Rust's standard library File::create() wrapper, which combines open() and truncate operations non-atomically.
RemediationAI
Apply the latest patched version of uutils coreutils once released by the project (exact version number not independently confirmed from provided data). Interim mitigation requires addressing the TOCTOU window: developers should refactor the touch utility to use atomic file operations, such as open() with O_CREAT|O_EXCL flags to fail safely if a file already exists, or use O_CREAT without O_TRUNC and handle existing files explicitly. System administrators can limit exposure by restricting file system permissions on critical directories (e.g., use sticky bit on shared directories to prevent non-owners from removing files), restricting user access to sensitive file locations, and monitoring file system events for suspicious symlink creation in target directories. Note that these workarounds do not eliminate the race window but raise the operational complexity of successful exploitation.
The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex
Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access
Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l
Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f
Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe
Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi
The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file
The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil
The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local
A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op
Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker
Time-of-Check to Time-of-Use (TOCTOU) race condition in uutils coreutils install utility allows local authenticated atta
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25002
GHSA-q6m9-xj2w-xmrc