CVE-2026-35352
Description
A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mkfifo utility of uutils coreutils. The utility creates a FIFO and then performs a path-based chmod to set permissions. A local attacker with write access to the parent directory can swap the newly created FIFO for a symbolic link between these two operations. This redirects the chmod call to an arbitrary file, potentially enabling privilege escalation if the utility is run with elevated privileges.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2026-35352
Vendor advisory: security@ubuntu.com — https://github.com/uutils/coreutils/issues/10020
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | affected | |
| debian | sid | affected | |
| debian | trixie | affected | |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| uutils | coreutils | - | |
References
- https://github.com/uutils/coreutils/issues/10020
- http://www.openwall.com/lists/oss-security/2026/05/04/4
- http://www.openwall.com/lists/oss-security/2026/05/04/5
- http://www.openwall.com/lists/oss-security/2026/05/04/6
- https://nvd.nist.gov/vuln/detail/CVE-2026-35352
- https://github.com/uutils/coreutils
- https://security-tracker.debian.org/tracker/CVE-2026-35352
- https://github.com/advisories/GHSA-9gh9-hwpr-rvqq
CWEs
CWE-367
Verify integrity in audit chain (admin only). AS-IS.