Description
The cp utility in uutils coreutils is vulnerable to an information disclosure race condition. Destination files are initially created with umask-derived permissions (e.g., 0644) before being restricted to their final mode (e.g., 0600) later in the process. A local attacker can race to open the file during this window; once obtained, the file descriptor remains valid and readable even after the permissions are tightened, exposing sensitive or private file contents.
Published: 2026-04-22
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

The cp utility in the Uutils coreutils package copies files by first creating the destination file with permissions derived from the process umask, then later changing the file mode to the desired value. During this brief window an attacker with local access can open the file before the mode is adjusted. Because the file descriptor remains valid and readable after the permissions are tightened, the attacker can read the file’s contents that were not intended to be exposed. This race condition results in a local information disclosure that can expose sensitive or private data stored by the user performing the copy.

Affected Systems

The vulnerability affects the Uutils coreutils package on any environment that uses its cp command. No specific version ranges are listed, so any installation of the package that has not applied the upstream fix is considered vulnerable.

Risk and Exploitability

The CVSS score of 4.7 indicates a moderate severity. EPSS information is unavailable, and the issue is not currently on CISA’s KEV list. The attack requires local user privileges and the ability to race with the cp process, making the exploit practical for an attacker who can run commands on the same system. Once executed, the attacker can read the contents of the target file despite the final permissions being set to a more restrictive mode.

Generated by OpenCVE AI on April 22, 2026 at 18:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update uutils coreutils to a version that removes the race condition by creating target files with the correct permissions from the start.
  • If an update is not immediately available, enforce a stricter umask (e.g., 077) before executing cp so that the temporary permissions are minimally permissive.
  • Consider substituting the built‑in cp with a safer alternative that does not expose permissions during the copy process or disable cp for untrusted users.

Generated by OpenCVE AI on April 22, 2026 at 18:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description The cp utility in uutils coreutils is vulnerable to an information disclosure race condition. Destination files are initially created with umask-derived permissions (e.g., 0644) before being restricted to their final mode (e.g., 0600) later in the process. A local attacker can race to open the file during this window; once obtained, the file descriptor remains valid and readable even after the permissions are tightened, exposing sensitive or private file contents.
Title uutils coreutils cp Information Disclosure via Permission Handling Race
Weaknesses CWE-367
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: canonical

Published:

Updated: 2026-04-22T17:58:29.122Z

Reserved: 2026-04-02T12:58:56.087Z

Link: CVE-2026-35357

cve-icon Vulnrichment

Updated: 2026-04-22T17:58:11.210Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-22T17:16:38.267

Modified: 2026-04-22T21:23:52.620

Link: CVE-2026-35357

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T18:15:15Z

Weaknesses