CVE-2026-35364 - Vulnerability Details

- uutils coreutils mv Arbitrary File Overwrite via Cross-Device TOCTOU Race Condition

Description

A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mv utility of uutils coreutils during cross-device operations. The utility removes the destination path before recreating it through a copy operation. A local attacker with write access to the destination directory can exploit this window to replace the destination with a symbolic link. The subsequent privileged move operation will follow the symlink, allowing the attacker to redirect the write and overwrite an arbitrary target file with contents from the source.

Published: 2026-04-22

Score: 6.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The mv utility in uutils coreutils contains a Time‑of‑Check to Time‑of‑Use race condition that occurs during cross‑device moves. The tool removes the destination path before copying the new file, creating a window where a local attacker can replace the destination with a symbolic link. When mv then performs the privileged move, it follows the symlink and writes the source contents to an arbitrary target file, potentially corrupting or replacing critical data.

Affected Systems

The affected product is the mv command in the uutils coreutils package. No specific version information is listed, so any unpatched installation of this utility could be vulnerable.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity. EPSS information is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no widely known exploitation. The attack requires local write access to the destination directory and a cross‑device move, conditions that are common on shared or multi‑user systems. If an attacker gains this capability, they can overwrite arbitrary files, leading to data loss or potential privilege escalation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor	Product	Default status	Versions
Uutils	coreutils	affected	—

Configuration 1 [-]

cpe:2.3:a:uutils:coreutils:-:*:*:*:*:rust:*:*

No data.

Vendor Product Confidence Versions

Uutils

Coreutils

100%

Version	Status	Scheme	Platform
`—`	affected	—	['linux', 'unix', 'macos']

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update uutils coreutils to the latest release that contains the TOCTOU fix.
Limit write permissions on destination directories to prevent untrusted local users from performing cross‑device moves.
If a patch is not yet available, avoid cross‑device moves by copying the file within the same filesystem and then deleting the original, or use safer tools such as rsync with appropriate options.

Generated by OpenCVE AI on April 27, 2026 at 08:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-m976-87wm-48fm	uutils coreutils has a Time-of-check Time-of-use (TOCTOU) Race Condition

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00014.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/uutils/coreutils/issues/10015

History

Fri, 24 Apr 2026 19:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Uutils Uutils coreutils
CPEs		cpe:2.3:a:uutils:coreutils:-:::::rust::
Vendors & Products		Uutils Uutils coreutils

Wed, 22 Apr 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 22 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mv utility of uutils coreutils during cross-device operations. The utility removes the destination path before recreating it through a copy operation. A local attacker with write access to the destination directory can exploit this window to replace the destination with a symbolic link. The subsequent privileged move operation will follow the symlink, allowing the attacker to redirect the write and overwrite an arbitrary target file with contents from the source.
Title		uutils coreutils mv Arbitrary File Overwrite via Cross-Device TOCTOU Race Condition
Weaknesses		CWE-367
References		https://github.com/uutils/coreutils/issues/10015
Metrics		cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H'}`

Subscriptions

Uutils Coreutils

MITRE

Status: PUBLISHED

Assigner: canonical

Published: 2026-04-22T16:08:38.522Z

Updated: 2026-04-22T17:22:25.742Z

Reserved: 2026-04-02T12:58:56.088Z

Link: CVE-2026-35364

Vulnrichment

Updated: 2026-04-22T17:21:39.628Z

NVD

Status : Analyzed

Published: 2026-04-22T17:16:39.737

Modified: 2026-04-24T19:19:11.777

Link: CVE-2026-35364

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-27T19:54:17Z

Weaknesses

CWE-367

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object