Description
A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mv utility of uutils coreutils during cross-device operations. The utility removes the destination path before recreating it through a copy operation. A local attacker with write access to the destination directory can exploit this window to replace the destination with a symbolic link. The subsequent privileged move operation will follow the symlink, allowing the attacker to redirect the write and overwrite an arbitrary target file with contents from the source.
Published: 2026-04-22
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Overwrite
Action: Patch
AI Analysis

Impact

The mv utility in uutils coreutils contains a Time‑of‑Check to Time‑of‑Use race condition that occurs during cross‑device moves. The tool removes the destination path before copying the new file, creating a window where a local attacker can replace the destination with a symbolic link. When mv then performs the privileged move, it follows the symlink and writes the source contents to an arbitrary target file, potentially corrupting or replacing critical data.

Affected Systems

The affected product is the uutils coreutils mv command. No specific version information is listed, so any unpatched installation of this utility could be vulnerable.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity. EPSS information is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no widely known exploitation. The attack requires local write access to the destination directory and a cross‑device move, conditions that are common on shared or multi‑user systems. If an attacker gains this capability, they can overwrite arbitrary files, leading to data loss or potential privilege escalation.

Generated by OpenCVE AI on April 22, 2026 at 18:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest release of uutils coreutils that contains the TOCTOU fix.
  • Restrict write permissions on destination directories so that only trusted users can perform cross‑device mv operations.
  • If a patch is unavailable, avoid cross‑device mv by copying the file within the same filesystem and then removing the original, or use safer utilities such as rsync with strict options.

Generated by OpenCVE AI on April 22, 2026 at 18:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mv utility of uutils coreutils during cross-device operations. The utility removes the destination path before recreating it through a copy operation. A local attacker with write access to the destination directory can exploit this window to replace the destination with a symbolic link. The subsequent privileged move operation will follow the symlink, allowing the attacker to redirect the write and overwrite an arbitrary target file with contents from the source.
Title uutils coreutils mv Arbitrary File Overwrite via Cross-Device TOCTOU Race Condition
Weaknesses CWE-367
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: canonical

Published:

Updated: 2026-04-22T17:22:25.742Z

Reserved: 2026-04-02T12:58:56.088Z

Link: CVE-2026-35364

cve-icon Vulnrichment

Updated: 2026-04-22T17:21:39.628Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-22T17:16:39.737

Modified: 2026-04-22T21:23:52.620

Link: CVE-2026-35364

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T18:15:15Z

Weaknesses