Description
A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the split utility of uutils coreutils. The program attempts to prevent data loss by checking for identity between input and output files using their file paths before initiating the split operation. However, the utility subsequently opens the output file with truncation after this path-based validation is complete. A local attacker with write access to the directory can exploit this race window by manipulating mutable path components (e.g., swapping a path with a symbolic link). This can cause split to truncate and write to an unintended target file, potentially including the input file itself or other sensitive files accessible to the process, leading to permanent data loss.
Published: 2026-04-22
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: Local data truncation and loss
Action: Immediate Patch
AI Analysis

Impact

The split utility checks that the input and output files do not share the same file path before starting the split operation. The check, however, is performed before the output file is opened with truncation, creating a race window. A local attacker who can write to the directory may change a path component such as a symbolic link during that window. This can cause split to truncate and write to an unintended target file, including the input file itself or any other file the process can access, resulting in permanent data loss.

Affected Systems

Uutils coreutils, specifically the split component, is affected. No specific version information is provided, so all released versions that include split are potentially vulnerable until the patch is applied.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate risk, but the absence of an EPSS score and its non–appearance in the KEV catalog mean it has not yet been observed in the wild. The flaw is exploitable by an attacker with local write access to the directory containing the input and output files, which is common on many systems. The direct impact is data truncation and loss, which can compromise critical data or system integrity.

Generated by OpenCVE AI on April 22, 2026 at 18:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update uutils coreutils to the latest version that includes the patch from pull request 11401.
  • Restrict write and symlink permissions on the directories used by split to prevent untrusted users from manipulating path components.
  • Ensure the process running split does not have access to sensitive files that could be overwritten and that output files are created with secure permissions.

Generated by OpenCVE AI on April 22, 2026 at 18:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the split utility of uutils coreutils. The program attempts to prevent data loss by checking for identity between input and output files using their file paths before initiating the split operation. However, the utility subsequently opens the output file with truncation after this path-based validation is complete. A local attacker with write access to the directory can exploit this race window by manipulating mutable path components (e.g., swapping a path with a symbolic link). This can cause split to truncate and write to an unintended target file, potentially including the input file itself or other sensitive files accessible to the process, leading to permanent data loss.
Title uutils coreutils split Arbitrary File Truncation via Time-of-Check to Time-of-Use (TOCTOU) Race Condition
Weaknesses CWE-367
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: canonical

Published:

Updated: 2026-04-22T17:19:14.972Z

Reserved: 2026-04-02T12:58:56.088Z

Link: CVE-2026-35374

cve-icon Vulnrichment

Updated: 2026-04-22T17:19:11.805Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-22T17:16:42.127

Modified: 2026-04-22T21:23:52.620

Link: CVE-2026-35374

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T18:15:15Z

Weaknesses