CVE-2026-35360 - Vulnerability Details

- uutils coreutils touch Arbitrary File Truncation via TOCTOU Race Condition

Description

The touch utility in uutils coreutils is vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition during file creation. When the utility identifies a missing path, it later attempts creation using File::create(), which internally uses O_TRUNC. An attacker can exploit this window to create a file or swap a symlink at the target path, causing touch to truncate an existing file and leading to permanent data loss.

Published: 2026-04-22

Score: 6.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The touch command in uutils coreutils can truncate an existing file when a Time‑of‑Check to Time‑of‑Use (TOCTOU) race condition occurs. During file creation, the utility verifies that the target path is missing and later calls File::create(), which internally uses O_TRUNC. An attacker can exploit the window between the check and the use by creating or switching a symbolic link at the target path, causing the touch command to truncate an existing file and permanently erase its data. This weakness corresponds to CWE‑367 and can lead to irreversible loss of critical information.

Affected Systems

The affected product is uutils coreutils. No specific version information is supplied, so all releases that include the touch utility are potentially vulnerable until a patch is released.

Risk and Exploitability

The CVSS score of 6.3 indicates a medium severity vulnerability. Although the EPSS score is not provided, the risk of exploitation depends on the attacker’s ability to influence file creation paths. The vulnerability is not currently listed in the CISA KEV catalog. It is most likely exploitable in a local environment where the attacker has write permission to the target directory, or remotely if a privileged service runs touch with elevated rights. An attacker with such access could deliberately truncate a file by swapping a symlink at the target path during the race window. The absence of a publicly available patch suggests the need for immediate mitigation to prevent potential data loss.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor	Product	Default status	Versions
Uutils	coreutils	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Install an updated release of uutils coreutils that addresses the TOCTOU race condition once it becomes available.
Where an update cannot be applied immediately, restrict write permissions on directories that are frequently accessed by the touch command so that only authorized users can create or replace files there.
Configure the filesystem or use access control lists (ACLs) to prevent ordinary users from creating or modifying symlinks that resolve to critical files.
Implement file integrity monitoring so that unexpected truncation or changes to important files are rapidly detected and logged.

Generated by OpenCVE AI on April 22, 2026 at 18:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00012.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/uutils/coreutils/issues/10019

History

Wed, 22 Apr 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 22 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		The touch utility in uutils coreutils is vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition during file creation. When the utility identifies a missing path, it later attempts creation using File::create(), which internally uses O_TRUNC. An attacker can exploit this window to create a file or swap a symlink at the target path, causing touch to truncate an existing file and leading to permanent data loss.
Title		uutils coreutils touch Arbitrary File Truncation via TOCTOU Race Condition
Weaknesses		CWE-367
References		https://github.com/uutils/coreutils/issues/10019
Metrics		cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: canonical

Published: 2026-04-22T16:08:28.218Z

Updated: 2026-04-22T18:03:26.466Z

Reserved: 2026-04-02T12:58:56.088Z

Link: CVE-2026-35360

Vulnrichment

Updated: 2026-04-22T18:03:16.052Z

NVD

Status : Awaiting Analysis

Published: 2026-04-22T17:16:38.673

Modified: 2026-04-22T21:23:52.620

Link: CVE-2026-35360

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T18:15:15Z

Weaknesses

CWE-367

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object