Description

The install utility in uutils coreutils is vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition during file installation. The implementation unlinks an existing destination file and then recreates it using a path-based operation without the O_EXCL flag. A local attacker can exploit the window between the unlink and the subsequent creation to swap the path with a symbolic link, allowing them to redirect privileged writes to overwrite arbitrary system files.

INFO

Published Date :

2026-04-22T16:08:14.960Z

Last Modified :

2026-04-22T18:01:47.122Z

Source :

canonical
AFFECTED PRODUCTS

The following products are affected by CVE-2026-35355 vulnerability.

Vendors Products
Uutils
  • Coreutils
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-35355.

URL Resource
https://github.com/uutils/coreutils/pull/10067 cve-icon cve-icon cve-icon
https://github.com/uutils/coreutils/releases/tag/0.6.0 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact