The install command of uutils coreutils contains a TOCTOU race condition when the -D flag is used. The utility first creates parent directories and then performs a second path resolution to create the target file, with neither resolution tied to a directory file descriptor. This design allows an attacker with concurrent write access to replace a path component with a symbolic link between the two operations, causing the privileged write to occur at an arbitrary filesystem location. The effect is an arbitrary file overwrite, potentially enabling destructive changes or privilege escalation.

The flaw affects the install utility in the uutils:coreutils package. No specific version range is given in the advisory, but the issue is present in the current releases cited (e.g. the pull request merged in release 0.7.0). The product is typically used on systems that provide a Unix‑like shell environment. Systems that run uutils coreutils and rely on install -D for file recreation are at risk.

The CVSS score is 6.3, indicating a medium severity. An EPSS score is not available, and the vulnerability is not listed in CISA's KEV catalog. The vulnerability requires the attacker to have the ability to perform concurrent writes on the same filesystem path, meaning local or privileged users can exploit it. Because the race occurs between directory creation and file creation, an attack would likely need a user who can create or modify a symbolic link in the path while another session runs install -D. No remote exploitation path is described in the provided data, so the attack vector is inferred to be local. The presence of a TOCTOU flaw suggests the risk may be elevated if an attacker gains temporary or shared write access.