Skip to main content

uutils coreutils EUVDEUVD-2026-24969

| CVE-2026-35341 HIGH
Incorrect Permission Assignment for Critical Resource (CWE-732)
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

5
Re-analysis Queued
Apr 24, 2026 - 15:22 vuln.today
cvss_changed
Analysis Generated
Apr 23, 2026 - 00:17 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 16:31 euvd
EUVD-2026-24969
Analysis Generated
Apr 22, 2026 - 16:31 vuln.today
CVE Published
Apr 22, 2026 - 16:07 nvd
HIGH 7.1

DescriptionCVE.org

A vulnerability in uutils coreutils mkfifo allows for the unauthorized modification of permissions on existing files. When mkfifo fails to create a FIFO because a file already exists at the target path, it fails to terminate the operation for that path and continues to execute a follow-up set_permissions call. This results in the existing file's permissions being changed to the default mode (often 644 after umask), potentially exposing sensitive files such as SSH private keys to other users on the system.

AnalysisAI

Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary files to world-readable mode. When mkfifo attempts to create a FIFO at a path where a file already exists, it erroneously continues execution and calls set_permissions on the existing file, changing its mode to default (typically 644 after umask). This can expose sensitive files like SSH private keys (~/.ssh/id_rsa) or application secrets to unauthorized local users. CISA SSVC confirms proof-of-concept code exists with total technical impact, though EPSS data is not available and the vulnerability is not yet in CISA KEV, indicating exploitation remains theoretical rather than widespread.

Technical ContextAI

uutils coreutils is a cross-platform Rust reimplementation of GNU coreutils utilities. The mkfifo utility creates named pipes (FIFOs) for inter-process communication. This vulnerability stems from improper error handling in the file creation logic (CWE-732: Incorrect Permission Assignment for Critical Resource). When mkfifo encounters EEXIST (file already exists error), it should terminate processing for that path immediately. Instead, the code proceeds to a set_permissions() call that was intended only for newly created FIFOs. The permission change applies the default umask-adjusted mode to the pre-existing file, typically resulting in 644 (owner read-write, group/world read). The affected product is identified as cpe:2.3:a:uutils:coreutils:*:*:*:*:*:*:*:*, indicating all versions prior to the fix are vulnerable. This is particularly dangerous in multi-user Unix/Linux environments where users share a system and rely on file permissions for access control.

RemediationAI

Upgrade to the patched version of uutils coreutils once released-monitor https://github.com/uutils/coreutils/issues/10020 for fix version announcement. Until a patch is available, implement these specific compensating controls: (1) On multi-user systems, restrict mkfifo execution to trusted users only by removing world-execute permissions (chmod 750 /usr/bin/mkfifo or equivalent path) and setting appropriate group ownership-this prevents unprivileged users from exploiting the flaw but breaks legitimate uses by those users. (2) Deploy file integrity monitoring (AIDE, Tripwire) to alert on unexpected permission changes to sensitive files in /home/*/.ssh/, /etc/ssh/, application config directories, and private key locations-set alerts for any file changing to mode 644 or similar world-readable permissions. (3) Use mandatory access control (SELinux, AppArmor) policies to prevent mkfifo from modifying file permissions outside its intended scope-requires policy development and testing before production deployment. (4) For critical systems, temporarily replace uutils coreutils with GNU coreutils (apt install coreutils on Debian/Ubuntu, reinstall coreutils package on other distributions) until uutils patch is available-verify GNU implementation is actually being used as some systems may have multiple installations. Each mitigation trades off between security and usability; option (4) provides immediate full protection with minimal operational impact for most environments.

CVE-2014-9471 HIGH POC
7.5 Jan 16

The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex

CVE-2026-35368 HIGH
7.8 Apr 22

Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access

CVE-2026-35338 HIGH POC
7.3 Apr 22

Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l

CVE-2026-35352 HIGH
7.0 Apr 22

Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe

CVE-2026-35349 MEDIUM
6.7 Apr 22

Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi

CVE-2026-35365 MEDIUM
6.6 Apr 22

The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file

CVE-2026-35350 MEDIUM
6.6 Apr 22

The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil

CVE-2026-35374 MEDIUM
6.3 Apr 22

The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local

CVE-2026-35364 MEDIUM
6.3 Apr 22

A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op

CVE-2026-35360 MEDIUM
6.3 Apr 22

The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo

CVE-2026-35356 MEDIUM
6.3 Apr 22

Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker

CVE-2026-35355 MEDIUM
6.3 Apr 22

Time-of-Check to Time-of-Use (TOCTOU) race condition in uutils coreutils install utility allows local authenticated atta

Share

EUVD-2026-24969 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy