Skip to main content

uutils coreutils EUVDEUVD-2026-24992

| CVE-2026-35355 MEDIUM
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
6.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Apr 23, 2026 - 07:05 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 16:31 euvd
EUVD-2026-24992
Analysis Generated
Apr 22, 2026 - 16:31 vuln.today
Patch released
Apr 22, 2026 - 16:31 nvd
Patch available
CVE Published
Apr 22, 2026 - 16:08 nvd
MEDIUM 6.3

DescriptionCVE.org

The install utility in uutils coreutils is vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition during file installation. The implementation unlinks an existing destination file and then recreates it using a path-based operation without the O_EXCL flag. A local attacker can exploit the window between the unlink and the subsequent creation to swap the path with a symbolic link, allowing them to redirect privileged writes to overwrite arbitrary system files.

AnalysisAI

Time-of-Check to Time-of-Use (TOCTOU) race condition in uutils coreutils install utility allows local authenticated attackers to redirect privileged file writes to arbitrary system locations via symbolic link swapping. By exploiting the window between file unlinking and recreation, an attacker with local access and low privileges can overwrite critical system files when the install command runs with elevated privileges, achieving both integrity compromise and denial of service.

Technical ContextAI

The install utility in uutils coreutils implements file installation by first unlinking an existing destination file, then recreating it without the O_EXCL (exclusive creation) flag. This two-step operation introduces a time-of-check to time-of-use race condition (CWE-367). An attacker can inject a symbolic link at the destination path between the unlink and creation syscalls, causing the subsequent write operation to follow the symlink and overwrite an arbitrary file chosen by the attacker. This is a classic privilege escalation vector when install runs with elevated privileges (e.g., during system package installation or privileged maintenance operations). The absence of O_EXCL means the kernel does not atomically ensure exclusive ownership of the newly created file, leaving the race window open. CPE indicates all versions of uutils coreutils prior to 0.6.0 are affected.

RemediationAI

Vendor-released patch: uutils coreutils 0.6.0 or later. Upgrade via standard package managers (Cargo for Rust distributions, system repositories for packaged versions) to version 0.6.0 or later. The fix resolves the TOCTOU race by using atomic file operations with the O_EXCL flag, ensuring exclusive file creation without the unlink-and-recreate window. For systems unable to upgrade immediately, restrict execution of the install utility to trusted user accounts and disable setuid bits on install binaries if not required for normal operations. Avoid running install operations on untrusted filesystems or in shared /tmp directories where symlink injection is practical. Monitor system logs for repeated install failures or unexpected symlink creation in install destination directories, which may indicate exploitation attempts. See https://github.com/uutils/coreutils/releases/tag/0.6.0 for patch details and https://github.com/uutils/coreutils/pull/10067 for technical implementation.

CVE-2014-9471 HIGH POC
7.5 Jan 16

The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex

CVE-2026-35368 HIGH
7.8 Apr 22

Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access

CVE-2026-35338 HIGH POC
7.3 Apr 22

Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l

CVE-2026-35341 HIGH POC
7.1 Apr 22

Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f

CVE-2026-35352 HIGH
7.0 Apr 22

Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe

CVE-2026-35349 MEDIUM
6.7 Apr 22

Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi

CVE-2026-35365 MEDIUM
6.6 Apr 22

The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file

CVE-2026-35350 MEDIUM
6.6 Apr 22

The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil

CVE-2026-35374 MEDIUM
6.3 Apr 22

The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local

CVE-2026-35364 MEDIUM
6.3 Apr 22

A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op

CVE-2026-35360 MEDIUM
6.3 Apr 22

The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo

CVE-2026-35356 MEDIUM
6.3 Apr 22

Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker

Share

EUVD-2026-24992 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy