Severity by source
AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
5DescriptionCVE.org
The mknod utility in uutils coreutils fails to handle security labels atomically by creating device nodes before setting the SELinux context. If labeling fails, the utility attempts cleanup using std::fs::remove_dir, which cannot remove device nodes or FIFOs. This leaves mislabeled nodes behind with incorrect default contexts, potentially allowing unauthorized access to device nodes that should have been restricted by mandatory access controls.
AnalysisAI
The mknod utility in uutils coreutils creates device nodes before atomically applying SELinux security labels, and fails to properly clean up mislabeled nodes if labeling operations fail. This leaves device nodes with incorrect default SELinux contexts, potentially bypassing mandatory access control restrictions on systems where SELinux is enforcing. Affects coreutils versions prior to 0.6.0; exploitation requires local root or elevated privileges and is not currently publicly exploited, though cleanup failures are guaranteed on labeling failure.
Technical ContextAI
The mknod utility is responsible for creating special device files (character or block devices) and named pipes (FIFOs) in Unix-like filesystems. The vulnerability lies in the non-atomic sequence: the utility first creates the device node with default permissions and context, then attempts to apply SELinux security labels via the libselinux API. If the labeling step fails (due to missing SELinux policy, permission denial, or other errors), the code attempts cleanup using std::fs::remove_dir, which is designed for directory removal and cannot remove device nodes or FIFO files. This is a privilege escalation and access control bypass vulnerability rooted in CWE-281 (Improper Access Control - improper or missing enforcement of mandatory access controls). The root cause is the assumption that remove_dir will clean up any filesystem object, when device nodes require unlink() or equivalent removal primitives.
RemediationAI
Vendor-released patch: upgrade to uutils coreutils 0.6.0 or later (see GitHub release tag at https://github.com/uutils/coreutils/releases/tag/0.6.0). The upstream fix (PR #10582 at https://github.com/uutils/coreutils/pull/10582) implements atomic node creation and labeling by applying SELinux contexts before completing the mknod operation, or rolling back the node creation entirely if labeling fails. For systems unable to upgrade immediately, compensating controls include: restrict mknod utility execution via Linux capabilities (CAP_MKNOD) to only trusted system services, use AppArmor or SELinux policies to confine mknod invocations and deny label-setting on sensitive device paths, or disable mknod altogether if device nodes are pre-created at boot. Note that these controls add operational complexity and may break legitimate system administration workflows.
The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex
Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access
Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l
Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f
Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe
Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi
The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file
The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil
The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local
A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op
The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo
Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker
Same weakness CWE-281 – Improper Preservation of Permissions
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25004
GHSA-79rc-qpw3-jv92