CVE-2026-35352

uutils coreutils mkfifo Privilege Escalation via TOCTOU Race Condition

CVSS 7 HIGHEPSS 0.1%CWE-367

A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mkfifo utility of uutils coreutils. The utility creates a FIFO and then performs a path-based chmod to set permissions. A local attacker with write access to the parent directory can swap the newly created FIFO for a symbolic link between these two operations. This redirects the chmod call to an arbitrary file, potentially enabling privilege escalation if the utility is run with elevated privileges.

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Produtos afetados

Uutils · coreutils

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://github.com/uutils/coreutils/issues/10020 http://www.openwall.com/lists/oss-security/2026/05/04/4 http://www.openwall.com/lists/oss-security/2026/05/04/5 http://www.openwall.com/lists/oss-security/2026/05/04/6