CVE-2026-35356

medium

Description

A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the install utility of uutils coreutils when using the -D flag. The command creates parent directories and subsequently performs a second path resolution to create the target file, neither of which is anchored to a directory file descriptor. An attacker with concurrent write access can replace a path component with a symbolic link between these operations, redirecting the privileged write to an arbitrary file system location.

References

https://github.com/uutils/coreutils/releases/tag/0.7.0

https://github.com/uutils/coreutils/pull/10140

Details

Source: Mitre, NVD

Published: 2026-04-22

Updated: 2026-04-22

Risk Information

CVSS v2

Base Score: 5.5

Vector: CVSS2#AV:L/AC:H/Au:S/C:N/I:C/A:C

Severity: Medium

CVSS v3

Base Score: 6.3

Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H