Severity by source
AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
5DescriptionCVE.org
The safe_traversal module in uutils coreutils, which provides protection against Time-of-Check to Time-of-Use (TOCTOU) symlink races using file-descriptor-relative syscalls, is incorrectly limited to Linux targets. On other Unix-like systems such as macOS and FreeBSD, the utility fails to utilize these protections, leaving directory traversal operations vulnerable to symlink race conditions.
AnalysisAI
Time-of-Check to Time-of-Use (TOCTOU) symlink race condition vulnerability in uutils coreutils affects directory traversal operations on macOS and FreeBSD because the safe_traversal module's file-descriptor-relative syscall protections are incorrectly limited to Linux targets only. Local authenticated attackers with limited privileges can exploit this race condition to read or modify files via symlink manipulation, though exploitation requires specific timing conditions and is not automatable. EPSS and CISA SSVC assessment indicate partial technical impact with no evidence of active exploitation.
Technical ContextAI
The safe_traversal module in uutils coreutils implements TOCTOU race condition mitigations using file-descriptor-relative syscalls (such as openat, fstatat, etc.), which are POSIX.1-2008 standard syscalls that resolve paths relative to a directory file descriptor rather than the global filesystem, eliminating the window between stat and open operations where a symlink could be swapped. These protections are correctly implemented on Linux targets via the openat and related family of syscalls. However, the conditional compilation logic restricts these protections to Linux only, causing fallback to unsafe direct syscalls on other Unix-like systems including macOS and FreeBSD where the same POSIX syscalls are available. This leaves CWE-367 (Time-of-check Time-of-use TOCTOU Race Condition) vulnerability exposed in any coreutils utility that traverses directories, particularly those handling file operations like cp, mv, or install.
RemediationAI
Upgrade uutils coreutils to version 0.6.0 or later, available from https://github.com/uutils/coreutils/releases/tag/0.6.0. The upstream patch (https://github.com/uutils/coreutils/pull/9792) enables the safe_traversal module's POSIX file-descriptor-relative syscall protections on all Unix-like systems, not just Linux. If immediate upgrade is not feasible, restrict local user access to directories processed by coreutils utilities, particularly those performing directory traversal (cp, mv, install). Alternatively, deploy file monitoring on critical directories to detect symlink creation attempts during coreutils operations, though this is a compensating control with operational overhead and may not catch race conditions due to timing constraints. Note that disabling affected utilities is not practical in most environments and is not recommended as a long-term workaround.
Same technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25006
GHSA-ggc5-46rg-mr4v