Skip to main content

uutils coreutils EUVDEUVD-2026-24986

| CVE-2026-35352 HIGH
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-04-22 canonical GHSA-9gh9-hwpr-rvqq
7.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.0 HIGH
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 24, 2026 - 19:07 vuln.today
cvss_changed
Analysis Generated
Apr 23, 2026 - 06:52 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 16:31 euvd
EUVD-2026-24986
Analysis Generated
Apr 22, 2026 - 16:31 vuln.today
CVE Published
Apr 22, 2026 - 16:08 nvd
HIGH 7.0

DescriptionCVE.org

A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mkfifo utility of uutils coreutils. The utility creates a FIFO and then performs a path-based chmod to set permissions. A local attacker with write access to the parent directory can swap the newly created FIFO for a symbolic link between these two operations. This redirects the chmod call to an arbitrary file, potentially enabling privilege escalation if the utility is run with elevated privileges.

AnalysisAI

Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file permissions on arbitrary system files. A TOCTOU race condition between FIFO creation and permission setting enables symlink swapping attacks, redirecting chmod operations to unintended targets. SSVC framework indicates proof-of-concept exists with total technical impact. While CVSS rates this 7.0 (High), exploitation requires high attack complexity (race condition timing), low privileges, and write access to the parent directory where mkfifo is executed - most impactful when the utility runs with elevated privileges in automated scripts or system processes. No active exploitation confirmed (not in CISA KEV); EPSS data not available.

Technical ContextAI

This vulnerability affects the mkfifo utility in uutils coreutils, a cross-platform Rust reimplementation of GNU coreutils. The flaw is a classic Time-of-Check to Time-of-Use (TOCTOU) race condition (CWE-367), where a non-atomic sequence of file operations creates an exploitable window. The vulnerable code path performs: (1) FIFO creation at a specified path, then (2) a separate path-based chmod syscall to set permissions. Between these operations, the filesystem entry can be replaced. When an attacker with write access to the parent directory detects the FIFO creation, they can atomically unlink it and create a symbolic link with the same name pointing to a privileged file (e.g., /etc/passwd, /etc/shadow, or SUID binaries). The subsequent chmod then follows the symlink, inadvertently modifying permissions on the attacker-controlled target. This is particularly dangerous in environments where mkfifo runs as root or within privileged automation contexts.

RemediationAI

Upstream fix available through GitHub issue tracking (https://github.com/uutils/coreutils/issues/10020), but released patched version number not independently confirmed from available data - monitor the GitHub repository for tagged release incorporating the fix. Once released, upgrade uutils coreutils to the patched version immediately if deployed in privileged contexts. Interim compensating controls: (1) Avoid running mkfifo with elevated privileges in automated scripts; if necessary, use unprivileged processes and employ capability-based security to limit damage scope. (2) Ensure mkfifo operations occur only in directories with restricted write permissions (not world-writable or user-writable temp directories); use private temporary directories with mode 0700 owned by the executing process. (3) If feasible, switch to GNU coreutils mkfifo implementation which may use file descriptor-based chmod (fchmod) avoiding the TOCTOU condition, though verify your distribution's implementation. (4) Implement filesystem monitoring (inotify/fanotify) to detect rapid unlink/create sequences in critical directories where mkfifo executes, though this adds performance overhead. Note that restricting directory permissions is the most practical mitigation but may break existing workflows where users legitimately need to create FIFOs in shared spaces.

CVE-2014-9471 HIGH POC
7.5 Jan 16

The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex

CVE-2026-35368 HIGH
7.8 Apr 22

Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access

CVE-2026-35338 HIGH POC
7.3 Apr 22

Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l

CVE-2026-35341 HIGH POC
7.1 Apr 22

Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f

CVE-2026-35349 MEDIUM
6.7 Apr 22

Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi

CVE-2026-35365 MEDIUM
6.6 Apr 22

The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file

CVE-2026-35350 MEDIUM
6.6 Apr 22

The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil

CVE-2026-35374 MEDIUM
6.3 Apr 22

The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local

CVE-2026-35364 MEDIUM
6.3 Apr 22

A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op

CVE-2026-35360 MEDIUM
6.3 Apr 22

The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo

CVE-2026-35356 MEDIUM
6.3 Apr 22

Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker

CVE-2026-35355 MEDIUM
6.3 Apr 22

Time-of-Check to Time-of-Use (TOCTOU) race condition in uutils coreutils install utility allows local authenticated atta

Share

EUVD-2026-24986 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy