Description
The safe_traversal module in uutils coreutils, which provides protection against Time-of-Check to Time-of-Use (TOCTOU) symlink races using file-descriptor-relative syscalls, is incorrectly limited to Linux targets. On other Unix-like systems such as macOS and FreeBSD, the utility fails to utilize these protections, leaving directory traversal operations vulnerable to symlink race conditions.
Published: 2026-04-22
Score: 3.6 Low
EPSS: < 1% Very Low
KEV: No
Impact: Directory Traversal via TOCTOU Race
Action: Patch Update
AI Analysis

Impact

The safe_traversal module in uutils coreutils is designed to guard against Time‑of‑Check to Time‑of‑Use (TOCTOU) symlink races by using file‑descriptor‑relative system calls; however, the protection is hard‑coded to activate only on Linux. On macOS, FreeBSD and other Unix‑like systems the guard is bypassed, leaving directory traversal operations susceptible to a symlink race. This flaw falls under CWE‑367. While it does not directly enable code execution or privilege escalation, an attacker can replace a target file with a malicious symlink between the check and use phases, allowing unauthorized modification, deletion, or injection of files and potentially exposing sensitive data or causing denial of service.

Affected Systems

uutils coreutils is an open‑source Rust implementation of GNU Coreutils. The safe_traversal module that protects against TOCTOU symlink races works only on Linux. On macOS, FreeBSD, and other Unix‑like systems the module falls back to non‑protected logic, exposing directory traversal operations to symlink race conditions. All releases of uutils coreutils before 0.6.0 exhibit this flaw on those platforms; 0.6.0 and later restore protection. The affected software is deployed on any Unix‑like host that runs the vulnerable command‑line utilities from uutils, which may include servers, build environments, or end‑user systems.

Risk and Exploitability

The CVSS score of 3.6 indicates low to moderate severity. The EPSS score of <1% denotes a very low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog, so no confirmed widespread exploitation is reported. Exploitation would require the attacker to influence the file system at the time the vulnerable command runs, such as substituting a target file with a malicious symlink during the race window. This could allow unauthorized modification, deletion, or injection of files, potentially exposing sensitive data or causing denial of service. The most plausible attack vector is local or remote‑directed, but the need for precise timing and the low EPSS score reduce the practical risk.

Generated by OpenCVE AI on April 28, 2026 at 20:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade uutils coreutils to version 0.6.0 or later to restore TOCTOU protection on non‑Linux platforms.
  • If an immediate upgrade is not feasible, limit the use of vulnerable commands to directories that are not writable by untrusted users; consider moving critical operations to a root‑owned or immutable filesystem.
  • Implement monitoring or intrusion detection to watch for unexpected symlink creation in critical directories, and apply file‑system quarantine policies to detect and mitigate race conditions.

Generated by OpenCVE AI on April 28, 2026 at 20:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-ggc5-46rg-mr4v uutils coreutils has a Time-of-check Time-of-use (TOCTOU) Race Condition
History

Mon, 27 Apr 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Uutils
Uutils coreutils
CPEs cpe:2.3:a:uutils:coreutils:*:*:*:*:*:rust:*:*
Vendors & Products Uutils
Uutils coreutils

Wed, 22 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description The safe_traversal module in uutils coreutils, which provides protection against Time-of-Check to Time-of-Use (TOCTOU) symlink races using file-descriptor-relative syscalls, is incorrectly limited to Linux targets. On other Unix-like systems such as macOS and FreeBSD, the utility fails to utilize these protections, leaving directory traversal operations vulnerable to symlink race conditions.
Title uutils coreutils Missing TOCTOU Protection on Non-Linux Unix Platforms in Safe Traversal Module
Weaknesses CWE-367
References
Metrics cvssV3_1

{'score': 3.6, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Uutils Coreutils
cve-icon MITRE

Status: PUBLISHED

Assigner: canonical

Published:

Updated: 2026-04-22T17:28:40.509Z

Reserved: 2026-04-02T12:58:56.088Z

Link: CVE-2026-35362

cve-icon Vulnrichment

Updated: 2026-04-22T17:28:37.362Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T17:16:38.960

Modified: 2026-04-27T12:26:40.533

Link: CVE-2026-35362

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T20:45:16Z

Weaknesses