CVE-2026-35376 - Vulnerability Details

- uutils coreutils chcon Security Bypass and Mandatory Access Control (MAC) Inconsistency via TOCTOU Race Condition

Description

A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the chcon utility of uutils coreutils during recursive operations. The implementation resolves recursive targets using a fresh path lookup (via fts_accpath) rather than binding the traversal and label application to the specific directory state encountered during traversal. Because these operations are not anchored to file descriptors, a local attacker with write access to a directory tree can exploit timing-sensitive rename or symbolic link races to redirect a privileged recursive relabeling operation to unintended files or directories. This vulnerability breaks the hardening expectations for SELinux administration workflows and can lead to the unauthorized modification of security labels on sensitive system objects.

Published: 2026-04-22

Score: 4.5 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A time‑of‑check to time‑of‑use race in the chcon utility of uutils coreutils allows a local attacker with write access to a directory tree to redirect a privileged recursive relabeling operation to unintended files or directories. This undermines the expected hardening provided by SELinux by letting an attacker change security labels on sensitive objects without authorization. The weakness is classified as CWE‑367.

Affected Systems

The vulnerability affects the uutils coreutils package, specifically the chcon command. No specific version information is listed in the data, so any version prior to the latest release should be considered at risk until a fix is applied.

Risk and Exploitability

The CVSS score of 4.5 indicates moderate impact, and as EPSS is not available the likelihood of exploitation is unknown. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector is local with write access to the target directories; the attacker would perform timing‑sensitive rename or symbolic link races during a recursive chcon run.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Uutils

coreutils

unaffected

Version	Status	Constraints
`0`	affected	< 0.8.0

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade uutils coreutils to version 0.8.0 or later
Reduce write permissions on directories that may be subject to recursive chcon operations
Avoid using the recursive flag on chcon when active write access exists; prefer targeted relabeling

Generated by OpenCVE AI on April 22, 2026 at 18:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/uutils/coreutils/pull/11402
https://github.com/uutils/coreutils/releases/tag/0.8.0

History

Wed, 22 Apr 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 22 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the chcon utility of uutils coreutils during recursive operations. The implementation resolves recursive targets using a fresh path lookup (via fts_accpath) rather than binding the traversal and label application to the specific directory state encountered during traversal. Because these operations are not anchored to file descriptors, a local attacker with write access to a directory tree can exploit timing-sensitive rename or symbolic link races to redirect a privileged recursive relabeling operation to unintended files or directories. This vulnerability breaks the hardening expectations for SELinux administration workflows and can lead to the unauthorized modification of security labels on sensitive system objects.
Title		uutils coreutils chcon Security Bypass and Mandatory Access Control (MAC) Inconsistency via TOCTOU Race Condition
Weaknesses		CWE-367
References		https://github.com/uutils/coreutils/pull/11402 https://github.com/uutils/coreutils/releases/tag/0.8.0
Metrics		cvssV3_1 `{'score': 4.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: canonical

Published: 2026-04-22T16:09:09.676Z

Updated: 2026-04-22T17:14:38.066Z

Reserved: 2026-04-02T12:58:56.088Z

Link: CVE-2026-35376

Vulnrichment

Updated: 2026-04-22T17:11:34.124Z

NVD

Status : Awaiting Analysis

Published: 2026-04-22T17:16:42.430

Modified: 2026-04-22T21:23:52.620

Link: CVE-2026-35376

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T18:15:15Z

Weaknesses

CWE-367

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object