CVE-2026-35342 - Vulnerability Details

- uutils coreutils mktemp Insecure Temporary File Placement via Empty TMPDIR

Description

The mktemp utility in uutils coreutils fails to properly handle an empty TMPDIR environment variable. Unlike GNU mktemp, which falls back to /tmp when TMPDIR is an empty string, the uutils implementation treats the empty string as a valid path. This causes temporary files to be created in the current working directory (CWD) instead of the intended secure temporary directory. If the CWD is more permissive or accessible to other users than /tmp, it may lead to unintended information disclosure or unauthorized access to temporary data.

Published: 2026-04-22

Score: 3.3 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The mktemp tool in the uutils coreutils suite incorrectly handles an empty TMPDIR environment variable. Unlike the GNU implementation that defaults to /tmp, the uutils version treats the empty string as a literal path and creates temporary files in the current working directory. Because the working directory may have more permissive permissions than the system temporary directory, the temporary data could become visible or editable by other users, leading to unintended information disclosure or unauthorized access.

Affected Systems

The vulnerability affects the mktemp utility in the uutils coreutils collection. No specific version range is documented by the CNA, but the referenced release 0.6.0 includes the remediation. Administrators should target the uutils coreutils package when assessing deployments.

Risk and Exploitability

The CVSS score is 3.3, indicating low overall impact. The EPSS score is unavailable and the vulnerability is not listed in the CISA KEV catalog, suggesting limited public exploitation. Because creating temporary files requires local user execution, the attack vector is most likely local. An attacker who can run mktemp or influence the TMPDIR environment could cause temporary files to be written to a directory with looser permissions, exposing or allowing modification of temporary data. The risk remains modest, but patching mitigates the potential for local information leakage.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Uutils

coreutils

unaffected

Version	Status	Constraints
`0`	affected	< 0.6.0

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the uutils coreutils package to version 0.6.0 or later, which contains a fix that properly handles empty TMPDIR values.
Configure TMPDIR to a secure, writable directory such as /tmp, and avoid leaving the variable empty; consider unsetting TMPDIR to trigger the fallback behavior.
If upgrading is not yet possible, set TMPDIR explicitly at runtime or use a wrapper script to ensure temporary files are created in a safe directory.

Generated by OpenCVE AI on April 22, 2026 at 18:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00014.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/uutils/coreutils/pull/10566
https://github.com/uutils/coreutils/releases/tag/0.6.0

History

Wed, 22 Apr 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 22 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		The mktemp utility in uutils coreutils fails to properly handle an empty TMPDIR environment variable. Unlike GNU mktemp, which falls back to /tmp when TMPDIR is an empty string, the uutils implementation treats the empty string as a valid path. This causes temporary files to be created in the current working directory (CWD) instead of the intended secure temporary directory. If the CWD is more permissive or accessible to other users than /tmp, it may lead to unintended information disclosure or unauthorized access to temporary data.
Title		uutils coreutils mktemp Insecure Temporary File Placement via Empty TMPDIR
Weaknesses		CWE-377
References		https://github.com/uutils/coreutils/pull/10566 https://github.com/uutils/coreutils/releases/tag/0.6.0
Metrics		cvssV3_1 `{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: canonical

Published: 2026-04-22T16:07:41.640Z

Updated: 2026-04-22T18:15:53.932Z

Reserved: 2026-04-02T12:58:56.087Z

Link: CVE-2026-35342

Vulnrichment

Updated: 2026-04-22T18:15:49.984Z

NVD

Status : Awaiting Analysis

Published: 2026-04-22T17:16:36.217

Modified: 2026-04-22T21:23:52.620

Link: CVE-2026-35342

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T18:30:23Z

Weaknesses

CWE-377

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object