Skip to main content

uutils coreutils CVE-2026-35360

| EUVDEUVD-2026-25002 MEDIUM
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-04-22 canonical GHSA-q6m9-xj2w-xmrc
6.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Apr 23, 2026 - 07:03 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 16:31 euvd
EUVD-2026-25002
Analysis Generated
Apr 22, 2026 - 16:31 vuln.today
CVE Published
Apr 22, 2026 - 16:08 nvd
MEDIUM 6.3

DescriptionCVE.org

The touch utility in uutils coreutils is vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition during file creation. When the utility identifies a missing path, it later attempts creation using File::create(), which internally uses O_TRUNC. An attacker can exploit this window to create a file or swap a symlink at the target path, causing touch to truncate an existing file and leading to permanent data loss.

AnalysisAI

The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows local attackers with user-level privileges to truncate arbitrary files and cause permanent data loss. The vulnerability exists in the window between when touch checks for a missing file and when it attempts file creation with O_TRUNC flag; an attacker can inject a symlink or create a file at the target path during this interval, causing touch to truncate an existing file that the attacker controls. SSVC framework indicates exploitation is possible via proof-of-concept code, though automation is not feasible due to race condition complexity.

Technical ContextAI

The vulnerability stems from a classic TOCTOU race condition (CWE-367) in file handling logic. The touch utility performs a check to determine if a file path exists, then later invokes File::create() which internally opens the file with O_TRUNC flag (truncate on open). Between the existence check and file creation, an attacker in the same system can create a symlink pointing to a sensitive file or create a regular file at the target path. When touch subsequently calls File::create() with O_TRUNC, it truncates whatever file now occupies that path - potentially a legitimate file the attacker has linked to via symlink. This is a fundamental file operation sequencing flaw in Rust's standard library File::create() wrapper, which combines open() and truncate operations non-atomically.

RemediationAI

Apply the latest patched version of uutils coreutils once released by the project (exact version number not independently confirmed from provided data). Interim mitigation requires addressing the TOCTOU window: developers should refactor the touch utility to use atomic file operations, such as open() with O_CREAT|O_EXCL flags to fail safely if a file already exists, or use O_CREAT without O_TRUNC and handle existing files explicitly. System administrators can limit exposure by restricting file system permissions on critical directories (e.g., use sticky bit on shared directories to prevent non-owners from removing files), restricting user access to sensitive file locations, and monitoring file system events for suspicious symlink creation in target directories. Note that these workarounds do not eliminate the race window but raise the operational complexity of successful exploitation.

CVE-2014-9471 HIGH POC
7.5 Jan 16

The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex

CVE-2026-35368 HIGH
7.8 Apr 22

Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access

CVE-2026-35338 HIGH POC
7.3 Apr 22

Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l

CVE-2026-35341 HIGH POC
7.1 Apr 22

Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f

CVE-2026-35352 HIGH
7.0 Apr 22

Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe

CVE-2026-35349 MEDIUM
6.7 Apr 22

Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi

CVE-2026-35365 MEDIUM
6.6 Apr 22

The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file

CVE-2026-35350 MEDIUM
6.6 Apr 22

The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil

CVE-2026-35374 MEDIUM
6.3 Apr 22

The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local

CVE-2026-35364 MEDIUM
6.3 Apr 22

A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op

CVE-2026-35356 MEDIUM
6.3 Apr 22

Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker

CVE-2026-35355 MEDIUM
6.3 Apr 22

Time-of-Check to Time-of-Use (TOCTOU) race condition in uutils coreutils install utility allows local authenticated atta

Share

CVE-2026-35360 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy