Description
A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mkfifo utility of uutils coreutils. The utility creates a FIFO and then performs a path-based chmod to set permissions. A local attacker with write access to the parent directory can swap the newly created FIFO for a symbolic link between these two operations. This redirects the chmod call to an arbitrary file, potentially enabling privilege escalation if the utility is run with elevated privileges.
Published: 2026-04-22
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via TOCTOU race condition
Action: Apply Patch
AI Analysis

Impact

The mkfifo utility in uutils coreutils contains a Time‑of‑Check to Time‑of‑Use race condition. A local attacker with write access to the parent directory can create a FIFO, then replace it with a symlink before the subsequent chmod operation completes, causing the chmod to affect an arbitrary file. This can allow an attacker to change permissions of critical files when mkfifo is executed with elevated rights, resulting in privilege escalation.

Affected Systems

The affected product is uutils coreutils. No specific version numbers are listed, so all current releases prior to the fix are potentially impacted.

Risk and Exploitability

The vulnerability scores a CVSS of 7, indicating moderate to high risk. EPSS score of <1% (approximately 0.0001) indicates a very low probability of exploitation. The vulnerability is not in the CISA KEV catalog. The likely attack vector is local; an attacker must have write permission in the target directory. Exploitation requires the utility to run with elevated privileges, such as a set‑uid wrapper or a cron job, making host compromise a real threat under those conditions.

Generated by OpenCVE AI on April 28, 2026 at 15:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update uutils coreutils to the latest version that includes the race condition fix.
  • If an update is not immediately possible, limit write access to directories where mkfifo is used, ensuring that untrusted users cannot create or rename files there.
  • Run mkfifo only under non‑privileged accounts or use additional safeguards such as SELinux/AppArmor to enforce strict permission boundaries.

Generated by OpenCVE AI on April 28, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9gh9-hwpr-rvqq uutils coreutils has a Time-of-Check to Time-of-Use (TOCTOU) race condition
History

Mon, 04 May 2026 18:30:00 +0000

Type Values Removed Values Added
References

Mon, 04 May 2026 12:30:00 +0000

Type Values Removed Values Added
References

Fri, 24 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Uutils
Uutils coreutils
CPEs cpe:2.3:a:uutils:coreutils:-:*:*:*:*:rust:*:*
Vendors & Products Uutils
Uutils coreutils

Fri, 24 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mkfifo utility of uutils coreutils. The utility creates a FIFO and then performs a path-based chmod to set permissions. A local attacker with write access to the parent directory can swap the newly created FIFO for a symbolic link between these two operations. This redirects the chmod call to an arbitrary file, potentially enabling privilege escalation if the utility is run with elevated privileges.
Title uutils coreutils mkfifo Privilege Escalation via TOCTOU Race Condition
Weaknesses CWE-367
References
Metrics cvssV3_1

{'score': 7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Uutils Coreutils
cve-icon MITRE

Status: PUBLISHED

Assigner: canonical

Published:

Updated: 2026-05-04T17:32:54.701Z

Reserved: 2026-04-02T12:58:56.087Z

Link: CVE-2026-35352

cve-icon Vulnrichment

Updated: 2026-05-04T17:32:54.701Z

cve-icon NVD

Status : Modified

Published: 2026-04-22T17:16:37.597

Modified: 2026-05-04T18:16:28.370

Link: CVE-2026-35352

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T15:30:34Z

Weaknesses