Description
A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the chcon utility of uutils coreutils during recursive operations. The implementation resolves recursive targets using a fresh path lookup (via fts_accpath) rather than binding the traversal and label application to the specific directory state encountered during traversal. Because these operations are not anchored to file descriptors, a local attacker with write access to a directory tree can exploit timing-sensitive rename or symbolic link races to redirect a privileged recursive relabeling operation to unintended files or directories. This vulnerability breaks the hardening expectations for SELinux administration workflows and can lead to the unauthorized modification of security labels on sensitive system objects.
Published: 2026-04-22
Score: 4.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized modification of SELinux security labels
Action: Apply patch
AI Analysis

Impact

A time‑of‑check to time‑of‑use race in the chcon utility of uutils coreutils allows a local attacker with write access to a directory tree to redirect a privileged recursive relabeling operation to unintended files or directories. This undermines the expected hardening provided by SELinux by letting an attacker change security labels on sensitive objects without authorization. The weakness is classified as CWE‑367.

Affected Systems

The vulnerability affects the uutils coreutils package, specifically the chcon command. No specific version information is listed in the data, so any version prior to the latest release should be considered at risk until a fix is applied.

Risk and Exploitability

The CVSS score of 4.5 indicates moderate impact, and as EPSS is not available the likelihood of exploitation is unknown. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector is local with write access to the target directories; the attacker would perform timing‑sensitive rename or symbolic link races during a recursive chcon run.

Generated by OpenCVE AI on April 27, 2026 at 08:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade uutils coreutils to version 0.8.0 or later
  • Reduce write permissions on directories that may be subject to recursive chcon operations
  • Avoid using the recursive flag on chcon when active write access exists; prefer targeted relabeling

Generated by OpenCVE AI on April 27, 2026 at 08:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6g8r-74qp-6859 uutils coreutils has a Time-of-check Time-of-use (TOCTOU) Race Condition
History

Mon, 04 May 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:uutils:coreutils:*:*:*:*:*:rust:*:*

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Uutils
Uutils coreutils
Vendors & Products Uutils
Uutils coreutils

Wed, 22 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the chcon utility of uutils coreutils during recursive operations. The implementation resolves recursive targets using a fresh path lookup (via fts_accpath) rather than binding the traversal and label application to the specific directory state encountered during traversal. Because these operations are not anchored to file descriptors, a local attacker with write access to a directory tree can exploit timing-sensitive rename or symbolic link races to redirect a privileged recursive relabeling operation to unintended files or directories. This vulnerability breaks the hardening expectations for SELinux administration workflows and can lead to the unauthorized modification of security labels on sensitive system objects.
Title uutils coreutils chcon Security Bypass and Mandatory Access Control (MAC) Inconsistency via TOCTOU Race Condition
Weaknesses CWE-367
References
Metrics cvssV3_1

{'score': 4.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Uutils Coreutils
cve-icon MITRE

Status: PUBLISHED

Assigner: canonical

Published:

Updated: 2026-04-22T17:14:38.066Z

Reserved: 2026-04-02T12:58:56.088Z

Link: CVE-2026-35376

cve-icon Vulnrichment

Updated: 2026-04-22T17:11:34.124Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T17:16:42.430

Modified: 2026-05-04T19:06:31.930

Link: CVE-2026-35376

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T19:53:27Z

Weaknesses