Severity by source
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mv utility of uutils coreutils during cross-device operations. The utility removes the destination path before recreating it through a copy operation. A local attacker with write access to the destination directory can exploit this window to replace the destination with a symbolic link. The subsequent privileged move operation will follow the symlink, allowing the attacker to redirect the write and overwrite an arbitrary target file with contents from the source.
AnalysisAI
A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move operations allows local attackers with write access to the destination directory to exploit a window between file deletion and recreation, injecting a symbolic link to redirect privileged write operations and overwrite arbitrary files. Exploitation requires moderate attack complexity and local access with limited privileges, but grants the ability to corrupt or modify files beyond the attacker's normal permissions. Publicly available exploit code exists but the vulnerability has not been confirmed in active exploitation.
Technical ContextAI
The mv utility in uutils coreutils implements cross-device file operations by removing the destination path and then performing a copy-based recreation. The vulnerability stems from an insecure sequence: the destination is deleted in one operation, followed by a separate copy operation to recreate it at the target location. This creates a race condition window (CWE-367, Time-of-Check to Time-of-Use) where an attacker with write permissions in the destination directory can replace the deleted destination with a symbolic link pointing to an arbitrary file. When the privileged move operation resumes and follows the symlink, it writes the source file contents to the attacker's chosen target, effectively enabling arbitrary file write as a higher-privilege context. The vulnerability is specific to cross-device move operations where the kernel cannot perform an atomic rename, forcing userspace fallback to copy-and-delete semantics.
RemediationAI
Apply the upstream fix from the uutils/coreutils project by updating to the patched release version. The fix involves eliminating or securing the race condition window during cross-device move operations, either by using atomic operations where available or by holding an exclusive lock on the destination directory during the copy-and-recreate sequence. Until patching is possible, mitigate risk by restricting write access to directories that are targets of mv operations, particularly when mv is invoked with elevated privileges (via sudo or setuid). For systems where privilege escalation via this vector is a concern, avoid running mv with privilege escalation in environments where local users have write access to target directories. Additionally, implement filesystem-level monitoring or mandatory access controls to detect or prevent creation of symbolic links in critical destination directories. Note that these workarounds reduce functionality and are not substitutes for patching; apply the vendor fix as soon as available.
The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex
Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access
Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l
Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f
Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe
Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi
The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file
The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil
The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local
The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo
Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker
Time-of-Check to Time-of-Use (TOCTOU) race condition in uutils coreutils install utility allows local authenticated atta
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25010
GHSA-m976-87wm-48fm