CVE-2026-35356

Summary

A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the install utility of uutils coreutils when using the -D flag. The command creates parent directories and subsequently performs a second path resolution to create the target file, neither of which is anchored to a directory file descriptor. An attacker with concurrent write access can replace a path component with a symbolic link between these operations, redirecting the privileged write to an arbitrary file system location.

Affected Software

VendorProductVersion RangeStatus
Uutilscoreutils0 < 0.7.0affected

Weaknesses

  • CWE-367: CWE-367: Time-of-Check Time-of-Use (TOCTOU) Race Condition

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References