CVE-2026-35354 - Vulnerability Details

- uutils coreutils mv Security Xattr TOCTOU Race in Cross-Device

Description

A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the mv utility of uutils coreutils during cross-device moves. The extended attribute (xattr) preservation logic uses multiple path-based system calls that perform fresh path-to-inode lookups for each operation. A local attacker with write access to the directory can exploit this race to swap files between calls, causing the destination file to receive an inconsistent mix of security xattrs, such as SELinux labels or file capabilities.

Published: 2026-04-22

Score: 4.7 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The mv utility in uutils coreutils contains a Time‑of‑Check to Time‑of‑Use race that allows a local attacker with write access to a directory to swap files during a cross‑device move. The bug causes the destination file to receive an inconsistent mix of extended attributes such as SELinux labels or file capabilities. This flaw is a classic TOCTOU problem (CWE‑367), which can enable privilege escalation or bypass of security controls by tampering with these attributes.

Affected Systems

All releases of the uutils coreutils mv command are potentially affected. No specific version range is provided, so any installed instance should be treated as vulnerable until an official patch or update is available.

Risk and Exploitability

The CVSS score of 4.7 indicates moderate severity, and the EPSS score is 0.0001, indicating a very low exploitation probability; the vulnerability is not listed in the CISA KEV catalog. Exploitation requires a local attacker who can write to the directory involved in the cross‑device move. If such access exists, the attacker can swap files during the move, resulting in the destination file inheriting a mixed set of security attributes that may allow unauthorized access or execute actions with elevated privileges.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor	Product	Default status	Versions
Uutils	coreutils	affected	—

Configuration 1 [-]

cpe:2.3:a:uutils:coreutils:-:*:*:*:*:rust:*:*

No data.

Vendor Product Confidence Versions

Uutils

Coreutils

100%

Version	Status	Scheme	Platform
`—`	affected	—	['linux', 'unix', 'macos']

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest uutils coreutils update or the vendor‑supplied patch that fixes the TOCTOU race condition.
If an update is not immediately available, restrict write permissions on the involved directories to prevent local attackers from modifying the target during the move.
Enable auditing or logging of extended attribute changes to detect unexpected mixes and review logs regularly.

Generated by OpenCVE AI on April 28, 2026 at 15:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-x4mc-mqm7-gg39	uutils coreutils has a Time-of-Check to Time-of-Use (TOCTOU) race condition

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/uutils/coreutils/issues/10014

History

Fri, 24 Apr 2026 19:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Uutils Uutils coreutils
CPEs		cpe:2.3:a:uutils:coreutils:-:::::rust::
Vendors & Products		Uutils Uutils coreutils

Wed, 22 Apr 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 22 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the mv utility of uutils coreutils during cross-device moves. The extended attribute (xattr) preservation logic uses multiple path-based system calls that perform fresh path-to-inode lookups for each operation. A local attacker with write access to the directory can exploit this race to swap files between calls, causing the destination file to receive an inconsistent mix of security xattrs, such as SELinux labels or file capabilities.
Title		uutils coreutils mv Security Xattr TOCTOU Race in Cross-Device
Weaknesses		CWE-367
References		https://github.com/uutils/coreutils/issues/10014
Metrics		cvssV3_1 `{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N'}`

Subscriptions

Uutils Coreutils

MITRE

Status: PUBLISHED

Assigner: canonical

Published: 2026-04-22T16:08:12.301Z

Updated: 2026-04-22T18:02:57.031Z

Reserved: 2026-04-02T12:58:56.087Z

Link: CVE-2026-35354

Vulnrichment

Updated: 2026-04-22T18:02:46.129Z

NVD

Status : Analyzed

Published: 2026-04-22T17:16:37.867

Modified: 2026-04-24T19:04:08.917

Link: CVE-2026-35354

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T15:30:34Z

Weaknesses

CWE-367

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object