The touch command in uutils coreutils can truncate an existing file when a Time‑of‑Check to Time‑of‑Use (TOCTOU) race condition occurs. During file creation, the utility verifies that the target path is missing and later calls File::create(), which internally uses O_TRUNC. An attacker can exploit the window between the check and the use by creating or switching a symbolic link at the target path, causing the touch command to truncate an existing file and permanently erase its data. This weakness corresponds to CWE‑367 and can lead to irreversible loss of critical information.

The affected product is uutils coreutils. No specific version information is supplied, so all releases that include the touch utility are potentially vulnerable until a patch is released.

The CVSS score of 6.3 and an EPSS score of less than 1% indicate medium severity and a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is inferred to be local or privileged service execution where the attacker can influence file creation paths. Based on the description, an attacker with write permission to the target directory can create or swap a symlink at the race window, leading to the accidental truncation of an existing file. Because no publicly available patch exists, the risk remains until a fix is applied or mitigated by restrictive permissions.