Skip to main content

uutils coreutils EUVDEUVD-2026-25004

| CVE-2026-35361 LOW
Improper Preservation of Permissions (CWE-281)
3.4
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.4 LOW
AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

5
Analysis Generated
Apr 23, 2026 - 07:00 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 16:31 euvd
EUVD-2026-25004
Analysis Generated
Apr 22, 2026 - 16:31 vuln.today
Patch released
Apr 22, 2026 - 16:31 nvd
Patch available
CVE Published
Apr 22, 2026 - 16:08 nvd
LOW 3.4

DescriptionCVE.org

The mknod utility in uutils coreutils fails to handle security labels atomically by creating device nodes before setting the SELinux context. If labeling fails, the utility attempts cleanup using std::fs::remove_dir, which cannot remove device nodes or FIFOs. This leaves mislabeled nodes behind with incorrect default contexts, potentially allowing unauthorized access to device nodes that should have been restricted by mandatory access controls.

AnalysisAI

The mknod utility in uutils coreutils creates device nodes before atomically applying SELinux security labels, and fails to properly clean up mislabeled nodes if labeling operations fail. This leaves device nodes with incorrect default SELinux contexts, potentially bypassing mandatory access control restrictions on systems where SELinux is enforcing. Affects coreutils versions prior to 0.6.0; exploitation requires local root or elevated privileges and is not currently publicly exploited, though cleanup failures are guaranteed on labeling failure.

Technical ContextAI

The mknod utility is responsible for creating special device files (character or block devices) and named pipes (FIFOs) in Unix-like filesystems. The vulnerability lies in the non-atomic sequence: the utility first creates the device node with default permissions and context, then attempts to apply SELinux security labels via the libselinux API. If the labeling step fails (due to missing SELinux policy, permission denial, or other errors), the code attempts cleanup using std::fs::remove_dir, which is designed for directory removal and cannot remove device nodes or FIFO files. This is a privilege escalation and access control bypass vulnerability rooted in CWE-281 (Improper Access Control - improper or missing enforcement of mandatory access controls). The root cause is the assumption that remove_dir will clean up any filesystem object, when device nodes require unlink() or equivalent removal primitives.

RemediationAI

Vendor-released patch: upgrade to uutils coreutils 0.6.0 or later (see GitHub release tag at https://github.com/uutils/coreutils/releases/tag/0.6.0). The upstream fix (PR #10582 at https://github.com/uutils/coreutils/pull/10582) implements atomic node creation and labeling by applying SELinux contexts before completing the mknod operation, or rolling back the node creation entirely if labeling fails. For systems unable to upgrade immediately, compensating controls include: restrict mknod utility execution via Linux capabilities (CAP_MKNOD) to only trusted system services, use AppArmor or SELinux policies to confine mknod invocations and deny label-setting on sensitive device paths, or disable mknod altogether if device nodes are pre-created at boot. Note that these controls add operational complexity and may break legitimate system administration workflows.

CVE-2014-9471 HIGH POC
7.5 Jan 16

The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex

CVE-2026-35368 HIGH
7.8 Apr 22

Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access

CVE-2026-35338 HIGH POC
7.3 Apr 22

Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l

CVE-2026-35341 HIGH POC
7.1 Apr 22

Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f

CVE-2026-35352 HIGH
7.0 Apr 22

Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe

CVE-2026-35349 MEDIUM
6.7 Apr 22

Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi

CVE-2026-35365 MEDIUM
6.6 Apr 22

The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file

CVE-2026-35350 MEDIUM
6.6 Apr 22

The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil

CVE-2026-35374 MEDIUM
6.3 Apr 22

The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local

CVE-2026-35364 MEDIUM
6.3 Apr 22

A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op

CVE-2026-35360 MEDIUM
6.3 Apr 22

The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo

CVE-2026-35356 MEDIUM
6.3 Apr 22

Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker

Share

EUVD-2026-25004 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy