Severity by source
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
The install utility in uutils coreutils is vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition during file installation. The implementation unlinks an existing destination file and then recreates it using a path-based operation without the O_EXCL flag. A local attacker can exploit the window between the unlink and the subsequent creation to swap the path with a symbolic link, allowing them to redirect privileged writes to overwrite arbitrary system files.
AnalysisAI
Time-of-Check to Time-of-Use (TOCTOU) race condition in uutils coreutils install utility allows local authenticated attackers to redirect privileged file writes to arbitrary system locations via symbolic link swapping. By exploiting the window between file unlinking and recreation, an attacker with local access and low privileges can overwrite critical system files when the install command runs with elevated privileges, achieving both integrity compromise and denial of service.
Technical ContextAI
The install utility in uutils coreutils implements file installation by first unlinking an existing destination file, then recreating it without the O_EXCL (exclusive creation) flag. This two-step operation introduces a time-of-check to time-of-use race condition (CWE-367). An attacker can inject a symbolic link at the destination path between the unlink and creation syscalls, causing the subsequent write operation to follow the symlink and overwrite an arbitrary file chosen by the attacker. This is a classic privilege escalation vector when install runs with elevated privileges (e.g., during system package installation or privileged maintenance operations). The absence of O_EXCL means the kernel does not atomically ensure exclusive ownership of the newly created file, leaving the race window open. CPE indicates all versions of uutils coreutils prior to 0.6.0 are affected.
RemediationAI
Vendor-released patch: uutils coreutils 0.6.0 or later. Upgrade via standard package managers (Cargo for Rust distributions, system repositories for packaged versions) to version 0.6.0 or later. The fix resolves the TOCTOU race by using atomic file operations with the O_EXCL flag, ensuring exclusive file creation without the unlink-and-recreate window. For systems unable to upgrade immediately, restrict execution of the install utility to trusted user accounts and disable setuid bits on install binaries if not required for normal operations. Avoid running install operations on untrusted filesystems or in shared /tmp directories where symlink injection is practical. Monitor system logs for repeated install failures or unexpected symlink creation in install destination directories, which may indicate exploitation attempts. See https://github.com/uutils/coreutils/releases/tag/0.6.0 for patch details and https://github.com/uutils/coreutils/pull/10067 for technical implementation.
The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex
Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access
Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l
Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f
Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe
Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi
The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file
The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil
The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local
A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op
The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo
Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24992
GHSA-239g-2685-54x3