Skip to main content

uutils coreutils EUVDEUVD-2026-25006

| CVE-2026-35362 LOW
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
3.6
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.6 LOW
AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

5
Analysis Generated
Apr 23, 2026 - 07:00 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 16:31 euvd
EUVD-2026-25006
Analysis Generated
Apr 22, 2026 - 16:31 vuln.today
Patch released
Apr 22, 2026 - 16:31 nvd
Patch available
CVE Published
Apr 22, 2026 - 16:08 nvd
LOW 3.6

DescriptionCVE.org

The safe_traversal module in uutils coreutils, which provides protection against Time-of-Check to Time-of-Use (TOCTOU) symlink races using file-descriptor-relative syscalls, is incorrectly limited to Linux targets. On other Unix-like systems such as macOS and FreeBSD, the utility fails to utilize these protections, leaving directory traversal operations vulnerable to symlink race conditions.

AnalysisAI

Time-of-Check to Time-of-Use (TOCTOU) symlink race condition vulnerability in uutils coreutils affects directory traversal operations on macOS and FreeBSD because the safe_traversal module's file-descriptor-relative syscall protections are incorrectly limited to Linux targets only. Local authenticated attackers with limited privileges can exploit this race condition to read or modify files via symlink manipulation, though exploitation requires specific timing conditions and is not automatable. EPSS and CISA SSVC assessment indicate partial technical impact with no evidence of active exploitation.

Technical ContextAI

The safe_traversal module in uutils coreutils implements TOCTOU race condition mitigations using file-descriptor-relative syscalls (such as openat, fstatat, etc.), which are POSIX.1-2008 standard syscalls that resolve paths relative to a directory file descriptor rather than the global filesystem, eliminating the window between stat and open operations where a symlink could be swapped. These protections are correctly implemented on Linux targets via the openat and related family of syscalls. However, the conditional compilation logic restricts these protections to Linux only, causing fallback to unsafe direct syscalls on other Unix-like systems including macOS and FreeBSD where the same POSIX syscalls are available. This leaves CWE-367 (Time-of-check Time-of-use TOCTOU Race Condition) vulnerability exposed in any coreutils utility that traverses directories, particularly those handling file operations like cp, mv, or install.

RemediationAI

Upgrade uutils coreutils to version 0.6.0 or later, available from https://github.com/uutils/coreutils/releases/tag/0.6.0. The upstream patch (https://github.com/uutils/coreutils/pull/9792) enables the safe_traversal module's POSIX file-descriptor-relative syscall protections on all Unix-like systems, not just Linux. If immediate upgrade is not feasible, restrict local user access to directories processed by coreutils utilities, particularly those performing directory traversal (cp, mv, install). Alternatively, deploy file monitoring on critical directories to detect symlink creation attempts during coreutils operations, though this is a compensating control with operational overhead and may not catch race conditions due to timing constraints. Note that disabling affected utilities is not practical in most environments and is not recommended as a long-term workaround.

Share

EUVD-2026-25006 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy