Skip to main content

uutils coreutils EUVDEUVD-2026-24994

| CVE-2026-35356 MEDIUM
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
6.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Apr 23, 2026 - 07:05 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 16:31 euvd
EUVD-2026-24994
Analysis Generated
Apr 22, 2026 - 16:31 vuln.today
Patch released
Apr 22, 2026 - 16:31 nvd
Patch available
CVE Published
Apr 22, 2026 - 16:08 nvd
MEDIUM 6.3

DescriptionCVE.org

A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the install utility of uutils coreutils when using the -D flag. The command creates parent directories and subsequently performs a second path resolution to create the target file, neither of which is anchored to a directory file descriptor. An attacker with concurrent write access can replace a path component with a symbolic link between these operations, redirecting the privileged write to an arbitrary file system location.

AnalysisAI

Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attackers with write access to redirect privileged file writes to arbitrary locations. The vulnerability exploits a Time-of-Check to Time-of-Use (TOCTOU) race condition between parent directory creation and target file creation, neither anchored to a directory file descriptor. CISA reports no active exploitation (SSVC: none), but the attack is non-automatable and requires specific concurrent write access conditions.

Technical ContextAI

The install utility in uutils coreutils (a Rust implementation of GNU coreutils) uses the -D flag to create parent directories before writing target files. The vulnerability stems from CWE-367 (TOCTOU race condition): the tool resolves paths in two separate operations without using directory file descriptors to anchor the operations. An attacker with concurrent filesystem write access can replace intermediate path components (e.g., 'foo' in 'foo/bar/baz') with symbolic links between the directory creation phase and the file creation phase, causing the privileged process to follow the symlink and write to an attacker-controlled location. This is a classic privileged symlink attack pattern, mitigated in modern systems through openat()-style APIs that anchor operations to a known directory descriptor.

RemediationAI

Vendor-released patch: upgrade to uutils coreutils 0.7.0 or later, which anchors path operations to directory file descriptors to eliminate the TOCTOU window. For systems unable to upgrade immediately, restrict the install utility to operate only in directories where untrusted local users cannot create symbolic links or concurrent modifications. Alternative workaround: disable the -D flag if not required, or ensure the install utility runs with minimal privilege separation (do not run as root if possible). The patch carries no known side effects. Patch validation and deployment details available at https://github.com/uutils/coreutils/pull/10140.

CVE-2014-9471 HIGH POC
7.5 Jan 16

The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex

CVE-2026-35368 HIGH
7.8 Apr 22

Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access

CVE-2026-35338 HIGH POC
7.3 Apr 22

Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l

CVE-2026-35341 HIGH POC
7.1 Apr 22

Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f

CVE-2026-35352 HIGH
7.0 Apr 22

Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe

CVE-2026-35349 MEDIUM
6.7 Apr 22

Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi

CVE-2026-35365 MEDIUM
6.6 Apr 22

The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file

CVE-2026-35350 MEDIUM
6.6 Apr 22

The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil

CVE-2026-35374 MEDIUM
6.3 Apr 22

The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local

CVE-2026-35364 MEDIUM
6.3 Apr 22

A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op

CVE-2026-35360 MEDIUM
6.3 Apr 22

The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo

CVE-2026-35355 MEDIUM
6.3 Apr 22

Time-of-Check to Time-of-Use (TOCTOU) race condition in uutils coreutils install utility allows local authenticated atta

Share

EUVD-2026-24994 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy