Description

When sed is invoked with both -i (in-place edit) and --follow-symlinks, the function open_next_file() performs two separate, non-atomic filesystem operations on the same path: 1. resolves symlink to its target and stores the resolved path for determining when output is written, 2. opens the original symlink path (not the resolved one) to read the file. Between these two calls there is a race window. If an attacker atomically replaces the symlink with a different target during that window, sed will: read content from the new (attacker-chosen) symlink target and write the processed result to the path recorded in step 1. This can lead to arbitrary file overwrite with attacker-controlled content in the context of the sed process. This issue was fixed in version 4.10.

INFO

Published Date :

2026-04-20T11:59:32.214Z

Last Modified :

2026-04-20T13:25:59.530Z

Source :

CERT-PL
AFFECTED PRODUCTS

The following products are affected by CVE-2026-5958 vulnerability.

Vendors Products
Gnu
  • Sed
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-5958.

URL Resource
https://cert.pl/en/posts/2026/04/CVE-2026-5958 cve-icon cve-icon
https://www.gnu.org/software/sed/ cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability