Description

The safe_traversal module in uutils coreutils, which provides protection against Time-of-Check to Time-of-Use (TOCTOU) symlink races using file-descriptor-relative syscalls, is incorrectly limited to Linux targets. On other Unix-like systems such as macOS and FreeBSD, the utility fails to utilize these protections, leaving directory traversal operations vulnerable to symlink race conditions.

INFO

Published Date :

2026-04-22T16:08:33.266Z

Last Modified :

2026-04-22T17:28:40.509Z

Source :

canonical
AFFECTED PRODUCTS

The following products are affected by CVE-2026-35362 vulnerability.

Vendors Products
Uutils
  • Coreutils
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-35362.

URL Resource
https://github.com/uutils/coreutils/pull/9792 cve-icon cve-icon
https://github.com/uutils/coreutils/releases/tag/0.6.0 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact