{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35376", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "state": "PUBLISHED", "assignerShortName": "canonical", "dateReserved": "2026-04-02T12:58:56.088Z", "datePublished": "2026-04-22T16:09:09.676Z", "dateUpdated": "2026-04-22T17:14:38.066Z"}, "containers": {"cna": {"title": "uutils coreutils chcon Security Bypass and Mandatory Access Control (MAC) Inconsistency via TOCTOU Race Condition", "affected": [{"vendor": "Uutils", "product": "coreutils", "platforms": ["Linux", "Unix", "macOS"], "collectionURL": "https://github.com/uutils", "packageName": "coreutils", "repo": "https://github.com/uutils/coreutils", "versions": [{"status": "affected", "lessThan": "0.8.0", "version": "0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-367", "description": "CWE-367: Time-of-Check Time-of-Use (TOCTOU) Race Condition", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-29", "descriptions": [{"lang": "en", "value": "CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions"}]}], "descriptions": [{"lang": "en", "value": "A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the chcon utility of uutils coreutils during recursive operations. The implementation resolves recursive targets using a fresh path lookup (via fts_accpath) rather than binding the traversal and label application to the specific directory state encountered during traversal. Because these operations are not anchored to file descriptors, a local attacker with write access to a directory tree can exploit timing-sensitive rename or symbolic link races to redirect a privileged recursive relabeling operation to unintended files or directories. This vulnerability breaks the hardening expectations for SELinux administration workflows and can lead to the unauthorized modification of security labels on sensitive system objects."}], "references": [{"url": "https://github.com/uutils/coreutils/pull/11402", "tags": ["patch", "issue-tracking"]}, {"url": "https://github.com/uutils/coreutils/releases/tag/0.8.0", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseSeverity": "MEDIUM", "baseScore": 4.5, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"}}], "credits": [{"lang": "en", "value": "Zellic", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-04-22T16:09:09.676Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T17:01:40.636759Z", "id": "CVE-2026-35376", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T17:14:38.066Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35376", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T17:01:40.636759Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T17:11:34.124Z"}}], "cna": {"title": "uutils coreutils chcon Security Bypass and Mandatory Access Control (MAC) Inconsistency via TOCTOU Race Condition", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Zellic"}], "impacts": [{"capecId": "CAPEC-29", "descriptions": [{"lang": "en", "value": "CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/uutils/coreutils", "vendor": "Uutils", "product": "coreutils", "versions": [{"status": "affected", "version": "0", "lessThan": "0.8.0", "versionType": "semver"}], "platforms": ["Linux", "Unix", "macOS"], "packageName": "coreutils", "collectionURL": "https://github.com/uutils", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/uutils/coreutils/pull/11402", "tags": ["patch", "issue-tracking"]}, {"url": "https://github.com/uutils/coreutils/releases/tag/0.8.0", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the chcon utility of uutils coreutils during recursive operations. The implementation resolves recursive targets using a fresh path lookup (via fts_accpath) rather than binding the traversal and label application to the specific directory state encountered during traversal. Because these operations are not anchored to file descriptors, a local attacker with write access to a directory tree can exploit timing-sensitive rename or symbolic link races to redirect a privileged recursive relabeling operation to unintended files or directories. This vulnerability breaks the hardening expectations for SELinux administration workflows and can lead to the unauthorized modification of security labels on sensitive system objects."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-367", "description": "CWE-367: Time-of-Check Time-of-Use (TOCTOU) Race Condition"}]}], "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-04-22T16:09:09.676Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35376", "state": "PUBLISHED", "dateUpdated": "2026-04-22T17:14:38.066Z", "dateReserved": "2026-04-02T12:58:56.088Z", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "datePublished": "2026-04-22T16:09:09.676Z", "assignerShortName": "canonical"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the chcon utility of uutils coreutils during recursive operations. The implementation resolves recursive targets using a fresh path lookup (via fts_accpath) rather than binding the traversal and label application to the specific directory state encountered during traversal. Because these operations are not anchored to file descriptors, a local attacker with write access to a directory tree can exploit timing-sensitive rename or symbolic link races to redirect a privileged recursive relabeling operation to unintended files or directories. This vulnerability breaks the hardening expectations for SELinux administration workflows and can lead to the unauthorized modification of security labels on sensitive system objects."}], "id": "CVE-2026-35376", "lastModified": "2026-04-22T21:23:52.620", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 4.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 3.4, "source": "security@ubuntu.com", "type": "Secondary"}]}, "published": "2026-04-22T17:16:42.430", "references": [{"source": "security@ubuntu.com", "url": "https://github.com/uutils/coreutils/pull/11402"}, {"source": "security@ubuntu.com", "url": "https://github.com/uutils/coreutils/releases/tag/0.8.0"}], "sourceIdentifier": "security@ubuntu.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-367"}], "source": "security@ubuntu.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T18:02:18.751611+00:00", "value": {"mitigation_remediation": ["Upgrade uutils coreutils to version 0.8.0 or later", "Reduce write permissions on directories that may be subject to recursive chcon operations", "Avoid using the recursive flag on chcon when active write access exists; prefer targeted relabeling"], "summary": {"action": "Apply patch", "impact": "Unauthorized modification of SELinux security labels"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the uutils coreutils package, specifically the chcon command. No specific version information is listed in the data, so any version prior to the latest release should be considered at risk until a fix is applied.", "description_and_impact": "A time\u2011of\u2011check to time\u2011of\u2011use race in the chcon utility of uutils coreutils allows a local attacker with write access to a directory tree to redirect a privileged recursive relabeling operation to unintended files or directories. This undermines the expected hardening provided by SELinux by letting an attacker change security labels on sensitive objects without authorization. The weakness is classified as CWE\u2011367.", "risk_and_exploitability": "The CVSS score of 4.5 indicates moderate impact, and as EPSS is not available the likelihood of exploitation is unknown. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector is local with write access to the target directories; the attacker would perform timing\u2011sensitive rename or symbolic link races during a recursive chcon run."}}}}, "created": "2026-04-22T18:15:15.480413+00:00", "updated": "2026-04-22T18:15:15.480424+00:00", "vendors": []}