Description
TOCTOU  in linenoiseHistorySave in linenoise allows local attackers to overwrite arbitrary files and change permissions via a symlink race between fopen("w") on the history path and subsequent chmod() on the same path.
Published: 2025-09-01
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a time‐of‐check to time‐of‐use race in the linenoiseHistorySave routine, allowing a local attacker to create or replace a symlink for the history file and then overwrite the target file when the program opens the path for writing and later applies chmod on that path. The result is that any file reachable by the symlink can be replaced or have its permissions altered, potentially enabling privilege escalation or file corruption.

Affected Systems

This vulnerability affects all versions of the linenoise library released by antirez. The issue is present in every build that uses the default history‑saving code and does not discriminate by version.

Risk and Exploitability

The CVSS score of 6.8 indicates moderate severity, and the EPSS score of less than 1% implies a very low probability of exploitation. The attack vector is local: it requires a user with write access to the history file and the ability to create a symlink. Because the CVE is not listed in the CISA KEV catalog, no known public exploits are reported. Nevertheless, the local nature of the race means that any privileged local user could abuse the flaw to overwrite system files or grant themselves elevated permissions.

Generated by OpenCVE AI on May 1, 2026 at 06:26 UTC.

Remediation

Vendor Solution

call fchmod() on the fd instead of chmod() on the path

OpenCVE Recommended Actions

  • Upgrade the linenoise library to a version that replaces the chmod on the path with fchmod on the file descriptor, as described in the vendor’s official solution.
  • If an immediate upgrade is not possible, remove or lock the history directory so that the history file cannot be linked to by other users, and set the directory permissions to prevent symlink creation by untrusted accounts.
  • Verify that the history file is stored in a location owned by the same user running the application and that the file system permissions do not allow other local users to write or symlink to it.

Generated by OpenCVE AI on May 1, 2026 at 06:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-26353 TOCTOU  in linenoiseHistorySave in linenoise allows local attackers to overwrite arbitrary files and change permissions via a symlink race between fopen("w") on the history path and subsequent chmod() on the same path.
History

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
References

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:antirez:linenoise:1.0:*:*:*:*:*:*:* cpe:2.3:a:antirez:linenoise:-:*:*:*:*:*:*:*

Mon, 08 Dec 2025 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Antirez
Antirez linenoise
CPEs cpe:2.3:a:antirez:linenoise:1.0:*:*:*:*:*:*:*
Vendors & Products Antirez
Antirez linenoise

Wed, 03 Sep 2025 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 02 Sep 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Sep 2025 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Linenoise Project
Linenoise Project linenoise
Vendors & Products Linenoise Project
Linenoise Project linenoise

Mon, 01 Sep 2025 19:15:00 +0000

Type Values Removed Values Added
Description TOCTOU  in linenoiseHistorySave in linenoise allows local attackers to overwrite arbitrary files and change permissions via a symlink race between fopen("w") on the history path and subsequent chmod() on the same path.
Title TOCTOU race in Linenoise enables arbitrary file overwrite and permission changes
Weaknesses CWE-367
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L'}

Subscriptions

Antirez Linenoise
Linenoise Project Linenoise
cve-icon MITRE

Status: PUBLISHED

Assigner: CyberArk

Published:

Updated: 2026-04-22T15:06:11.462Z

Reserved: 2025-09-01T18:48:53.813Z

Link: CVE-2025-9810

cve-icon Vulnrichment

Updated: 2026-04-22T15:06:11.462Z

cve-icon NVD

Status : Modified

Published: 2025-09-01T19:15:32.573

Modified: 2026-04-22T16:16:52.427

Link: CVE-2025-9810

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-09-01T19:03:19Z

Links: CVE-2025-9810 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T06:30:10Z

Weaknesses