Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
5DescriptionCVE.org
A vulnerability in uutils coreutils mkfifo allows for the unauthorized modification of permissions on existing files. When mkfifo fails to create a FIFO because a file already exists at the target path, it fails to terminate the operation for that path and continues to execute a follow-up set_permissions call. This results in the existing file's permissions being changed to the default mode (often 644 after umask), potentially exposing sensitive files such as SSH private keys to other users on the system.
AnalysisAI
Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary files to world-readable mode. When mkfifo attempts to create a FIFO at a path where a file already exists, it erroneously continues execution and calls set_permissions on the existing file, changing its mode to default (typically 644 after umask). This can expose sensitive files like SSH private keys (~/.ssh/id_rsa) or application secrets to unauthorized local users. CISA SSVC confirms proof-of-concept code exists with total technical impact, though EPSS data is not available and the vulnerability is not yet in CISA KEV, indicating exploitation remains theoretical rather than widespread.
Technical ContextAI
uutils coreutils is a cross-platform Rust reimplementation of GNU coreutils utilities. The mkfifo utility creates named pipes (FIFOs) for inter-process communication. This vulnerability stems from improper error handling in the file creation logic (CWE-732: Incorrect Permission Assignment for Critical Resource). When mkfifo encounters EEXIST (file already exists error), it should terminate processing for that path immediately. Instead, the code proceeds to a set_permissions() call that was intended only for newly created FIFOs. The permission change applies the default umask-adjusted mode to the pre-existing file, typically resulting in 644 (owner read-write, group/world read). The affected product is identified as cpe:2.3:a:uutils:coreutils:*:*:*:*:*:*:*:*, indicating all versions prior to the fix are vulnerable. This is particularly dangerous in multi-user Unix/Linux environments where users share a system and rely on file permissions for access control.
RemediationAI
Upgrade to the patched version of uutils coreutils once released-monitor https://github.com/uutils/coreutils/issues/10020 for fix version announcement. Until a patch is available, implement these specific compensating controls: (1) On multi-user systems, restrict mkfifo execution to trusted users only by removing world-execute permissions (chmod 750 /usr/bin/mkfifo or equivalent path) and setting appropriate group ownership-this prevents unprivileged users from exploiting the flaw but breaks legitimate uses by those users. (2) Deploy file integrity monitoring (AIDE, Tripwire) to alert on unexpected permission changes to sensitive files in /home/*/.ssh/, /etc/ssh/, application config directories, and private key locations-set alerts for any file changing to mode 644 or similar world-readable permissions. (3) Use mandatory access control (SELinux, AppArmor) policies to prevent mkfifo from modifying file permissions outside its intended scope-requires policy development and testing before production deployment. (4) For critical systems, temporarily replace uutils coreutils with GNU coreutils (apt install coreutils on Debian/Ubuntu, reinstall coreutils package on other distributions) until uutils patch is available-verify GNU implementation is actually being used as some systems may have multiple installations. Each mitigation trades off between security and usability; option (4) provides immediate full protection with minimal operational impact for most environments.
The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex
Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access
Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l
Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe
Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi
The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file
The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil
The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local
A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op
The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo
Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker
Time-of-Check to Time-of-Use (TOCTOU) race condition in uutils coreutils install utility allows local authenticated atta
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24969
GHSA-w8m4-4v35-v6x3