{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35352", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "state": "PUBLISHED", "assignerShortName": "canonical", "dateReserved": "2026-04-02T12:58:56.087Z", "datePublished": "2026-04-22T16:08:07.422Z", "dateUpdated": "2026-04-22T18:03:46.539Z"}, "containers": {"cna": {"title": "uutils coreutils mkfifo Privilege Escalation via TOCTOU Race Condition", "affected": [{"vendor": "Uutils", "product": "coreutils", "platforms": ["Linux", "Unix", "macOS"], "collectionURL": "https://github.com/uutils", "packageName": "coreutils", "repo": "https://github.com/uutils/coreutils", "defaultStatus": "affected"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-367", "description": "CWE-367: Time-of-Check Time-of-Use (TOCTOU) Race Condition", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-29", "descriptions": [{"lang": "en", "value": "CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions"}]}], "descriptions": [{"lang": "en", "value": "A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mkfifo utility of uutils coreutils. The utility creates a FIFO and then performs a path-based chmod to set permissions. A local attacker with write access to the parent directory can swap the newly created FIFO for a symbolic link between these two operations. This redirects the chmod call to an arbitrary file, potentially enabling privilege escalation if the utility is run with elevated privileges."}], "references": [{"url": "https://github.com/uutils/coreutils/issues/10020", "tags": ["issue-tracking"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 7, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "credits": [{"lang": "en", "value": "Zellic", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-04-22T16:08:07.422Z"}}, "adp": [{"references": [{"url": "https://github.com/uutils/coreutils/issues/10020", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T18:03:42.431888Z", "id": "CVE-2026-35352", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T18:03:46.539Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mkfifo utility of uutils coreutils. The utility creates a FIFO and then performs a path-based chmod to set permissions. A local attacker with write access to the parent directory can swap the newly created FIFO for a symbolic link between these two operations. This redirects the chmod call to an arbitrary file, potentially enabling privilege escalation if the utility is run with elevated privileges."}], "id": "CVE-2026-35352", "lastModified": "2026-04-22T17:16:37.597", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 5.9, "source": "security@ubuntu.com", "type": "Secondary"}]}, "published": "2026-04-22T17:16:37.597", "references": [{"source": "security@ubuntu.com", "url": "https://github.com/uutils/coreutils/issues/10020"}], "sourceIdentifier": "security@ubuntu.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-367"}], "source": "security@ubuntu.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T18:12:59.563694+00:00", "value": {"mitigation_remediation": ["Update uutils coreutils to the latest version that includes the race condition fix.", "If an update is not immediately possible, limit write access to directories where mkfifo is used, ensuring that untrusted users cannot create or rename files there.", "Run mkfifo only under non\u2011privileged accounts or use additional safeguards such as SELinux/AppArmor to enforce strict permission boundaries."], "summary": {"action": "Apply Patch", "impact": "Privilege Escalation via TOCTOU race condition"}, "threat_synthesis": {"affected_systems": "The affected product is uutils coreutils. No specific version numbers are listed, so all current releases prior to the fix are potentially impacted.", "description_and_impact": "The mkfifo utility in uutils coreutils contains a Time\u2011of\u2011Check to Time\u2011of\u2011Use race condition. A locally privileged attacker can create a FIFO, then replace it with a symlink before the subsequent chmod operation completes, causing the chmod to affect an arbitrary file. This can allow an attacker to change permissions of critical files when mkfifo is executed with elevated rights, resulting in privilege escalation.", "risk_and_exploitability": "The vulnerability scores a CVSS of 7, indicating moderate to high risk. EPSS information is not available and the vulnerability is not in the CISA KEV catalog. The likely attack vector is local; an attacker must have write permission in the target directory. Exploitation requires the utility to run with elevated privileges, such as a set\u2011uid wrapper or a cron job, making host compromise a real threat under those conditions."}}}}, "created": "2026-04-22T18:15:15.485124+00:00", "updated": "2026-04-22T18:15:15.485134+00:00", "vendors": []}