Description
The install utility in uutils coreutils is vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition during file installation. The implementation unlinks an existing destination file and then recreates it using a path-based operation without the O_EXCL flag. A local attacker can exploit the window between the unlink and the subsequent creation to swap the path with a symbolic link, allowing them to redirect privileged writes to overwrite arbitrary system files.
Published: 2026-04-22
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file overwrite via symlink TOCTOU race
Action: Immediate Patch
AI Analysis

Impact

The install utility in uutils coreutils implements a two‑step file creation, first unlinking an existing destination and then creating the new file without the O_EXCL flag. The time gap between unlinking and recreating the file allows a local attacker to create a symbolic link that redirects the write operation to an arbitrary system file. The result is that privileged writes can be redirected to overwrite existing files, compromising the integrity of the affected system. This flaw is a classic Time‑of‑Check to Time‑of‑Use (CWE‑367) weakness.

Affected Systems

The affected product is uutils coreutils. No specific affected release version is listed in the CVE data, so all versions prior to the fix should be considered vulnerable.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no known active exploitation in the wild. The attack vector is local; a user with write access to the installation paths can target the race condition. No remote exploitation path is documented in the provided description.

Generated by OpenCVE AI on April 22, 2026 at 18:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to uutils coreutils version 0.6.0 or later, where the race condition has been fixed.
  • If upgrading is not immediately possible, restrict write permissions on installation targets and disallow symlink creation for unprivileged users.
  • Audit the system for unexpected symbolic links in install directories and monitor for anomalous file modifications in critical paths.

Generated by OpenCVE AI on April 22, 2026 at 18:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description The install utility in uutils coreutils is vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition during file installation. The implementation unlinks an existing destination file and then recreates it using a path-based operation without the O_EXCL flag. A local attacker can exploit the window between the unlink and the subsequent creation to swap the path with a symbolic link, allowing them to redirect privileged writes to overwrite arbitrary system files.
Title uutils coreutils install Arbitrary File Overwrite via Symlink TOCTOU Race
Weaknesses CWE-367
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: canonical

Published:

Updated: 2026-04-22T18:01:47.122Z

Reserved: 2026-04-02T12:58:56.087Z

Link: CVE-2026-35355

cve-icon Vulnrichment

Updated: 2026-04-22T18:01:21.419Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-22T17:16:37.993

Modified: 2026-04-22T21:23:52.620

Link: CVE-2026-35355

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T18:15:15Z

Weaknesses