Skip to main content

uutils coreutils EUVDEUVD-2026-24996

| CVE-2026-35357 MEDIUM
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-04-22 canonical GHSA-2m8x-mvfx-gwgj
4.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 23, 2026 - 07:05 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 16:31 euvd
EUVD-2026-24996
Analysis Generated
Apr 22, 2026 - 16:31 vuln.today
CVE Published
Apr 22, 2026 - 16:08 nvd
MEDIUM 4.7

DescriptionCVE.org

The cp utility in uutils coreutils is vulnerable to an information disclosure race condition. Destination files are initially created with umask-derived permissions (e.g., 0644) before being restricted to their final mode (e.g., 0600) later in the process. A local attacker can race to open the file during this window; once obtained, the file descriptor remains valid and readable even after the permissions are tightened, exposing sensitive or private file contents.

AnalysisAI

The cp utility in uutils coreutils exposes sensitive file contents through a race condition where destination files are created with overly permissive umask-derived permissions before being restricted to their final restrictive mode. A local authenticated attacker can open the file during this narrow window to obtain a valid file descriptor that remains readable even after permissions are tightened, bypassing intended access controls. CVSS 4.7 with high confidentiality impact but limited exploitability due to high attack complexity and moderate SSVC rating.

Technical ContextAI

The vulnerability stems from a Time-of-Check-Time-of-Use (TOCTOU) race condition in the file creation process, classified under CWE-367 (Time-of-check Time-of-use). The cp utility creates destination files with default umask permissions (typically 0644 for world-readable) before applying the intended restrictive permissions (such as 0600 for owner-only). In Unix-like systems, once a file descriptor is opened by a process, the descriptor remains valid and retains its original access permissions regardless of subsequent changes to the file's mode bits. The affected product is uutils coreutils (CPE: cpe:2.3:a:uutils:coreutils), a Rust-based implementation of POSIX core utilities that aims to provide GNU coreutils replacements.

RemediationAI

Apply a vendor-released patch once available by updating uutils coreutils to a patched version (specific fix version number not yet published per available data). The recommended mitigation involves modifying the cp utility's implementation to atomically create destination files with restrictive permissions from the outset, eliminating the race condition window entirely. Alternative compensating controls include restricting local shell access to trusted users only via proper access controls and file permissions (trade-off: may limit legitimate administrative flexibility), monitoring file access patterns for suspicious concurrent opens during cp operations (trade-off: performance overhead), or using temporary file locations with pre-set restrictive permissions before copying content (trade-off: increases complexity and disk I/O). Until patches are released, audit systems to identify sensitive files being copied via cp and consider manual verification of resulting file permissions post-copy. See upstream issue https://github.com/uutils/coreutils/issues/10011 for patch status updates.

CVE-2014-9471 HIGH POC
7.5 Jan 16

The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex

CVE-2026-35368 HIGH
7.8 Apr 22

Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access

CVE-2026-35338 HIGH POC
7.3 Apr 22

Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l

CVE-2026-35341 HIGH POC
7.1 Apr 22

Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f

CVE-2026-35352 HIGH
7.0 Apr 22

Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe

CVE-2026-35349 MEDIUM
6.7 Apr 22

Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi

CVE-2026-35365 MEDIUM
6.6 Apr 22

The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file

CVE-2026-35350 MEDIUM
6.6 Apr 22

The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil

CVE-2026-35374 MEDIUM
6.3 Apr 22

The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local

CVE-2026-35364 MEDIUM
6.3 Apr 22

A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op

CVE-2026-35360 MEDIUM
6.3 Apr 22

The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo

CVE-2026-35356 MEDIUM
6.3 Apr 22

Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker

Share

EUVD-2026-24996 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy