Skip to main content

uutils coreutils CVE-2026-35376

| EUVDEUVD-2026-25028 MEDIUM
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-04-22 canonical
4.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.5 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

5
Analysis Generated
Apr 23, 2026 - 07:02 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 16:31 euvd
EUVD-2026-25028
Analysis Generated
Apr 22, 2026 - 16:31 vuln.today
Patch released
Apr 22, 2026 - 16:31 nvd
Patch available
CVE Published
Apr 22, 2026 - 16:09 nvd
MEDIUM 4.5

DescriptionCVE.org

A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the chcon utility of uutils coreutils during recursive operations. The implementation resolves recursive targets using a fresh path lookup (via fts_accpath) rather than binding the traversal and label application to the specific directory state encountered during traversal. Because these operations are not anchored to file descriptors, a local attacker with write access to a directory tree can exploit timing-sensitive rename or symbolic link races to redirect a privileged recursive relabeling operation to unintended files or directories. This vulnerability breaks the hardening expectations for SELinux administration workflows and can lead to the unauthorized modification of security labels on sensitive system objects.

AnalysisAI

Time-of-Check to Time-of-Use (TOCTOU) race condition in the chcon utility of uutils coreutils allows local attackers with directory write access to redirect recursive security label operations to unintended files or directories via symbolic link or rename races, potentially compromising SELinux security controls. The vulnerability affects versions prior to 0.8.0 and requires low privileges and high attack complexity to exploit, making it a moderate-severity issue with partial technical impact.

Technical ContextAI

The chcon utility is responsible for changing SELinux security context labels on files and directories. The vulnerability stems from how recursive operations resolve target paths using fresh path lookups via fts_accpath instead of maintaining file descriptor anchors throughout the traversal. This implementation pattern is susceptible to Time-of-Check to Time-of-Use (TOCTOU) race conditions as defined in CWE-367, where the state of a resource (file system path) can change between the moment it is checked and the moment the privileged operation is applied. An attacker with write access to the directory tree being traversed can exploit the window between path validation and label application by performing symbolic link injection or renaming operations, causing the security label modifications to be applied to files other than the originally intended targets.

RemediationAI

Vendor-released patch: upgrade uutils coreutils to version 0.8.0 or later. The patch addresses the TOCTOU vulnerability by implementing file descriptor anchoring during recursive traversal operations. Organizations using uutils coreutils should prioritize this upgrade in their next maintenance cycle, particularly if running chcon commands with elevated privileges on shared or untrusted file systems. Interim workarounds while patching is pending include restricting write access to directories being recursively relabeled (tighten directory permissions prior to chcon execution), avoiding recursive (-R) chcon operations on directories with untrusted write access, or temporarily disabling unprivileged user write access to target directories during privileged chcon operations-though these workarounds degrade administrative flexibility and are not long-term solutions.

CVE-2014-9471 HIGH POC
7.5 Jan 16

The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex

CVE-2026-35368 HIGH
7.8 Apr 22

Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access

CVE-2026-35338 HIGH POC
7.3 Apr 22

Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l

CVE-2026-35341 HIGH POC
7.1 Apr 22

Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f

CVE-2026-35352 HIGH
7.0 Apr 22

Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe

CVE-2026-35349 MEDIUM
6.7 Apr 22

Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi

CVE-2026-35365 MEDIUM
6.6 Apr 22

The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file

CVE-2026-35350 MEDIUM
6.6 Apr 22

The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil

CVE-2026-35374 MEDIUM
6.3 Apr 22

The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local

CVE-2026-35364 MEDIUM
6.3 Apr 22

A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op

CVE-2026-35360 MEDIUM
6.3 Apr 22

The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo

CVE-2026-35356 MEDIUM
6.3 Apr 22

Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker

Share

CVE-2026-35376 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy