CVE-2026-35354

MEDIUM4.7EPSS 0.01%

uutils coreutils has a Time-of-Check to Time-of-Use (TOCTOU) race condition

Published: 4/22/2026Modified: 6/2/2026

Also known as:GHSA-x4mc-mqm7-gg39CGA-wh9c-cvv4-frq3

Description

A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the mv utility of uutils coreutils during cross-device moves. The extended attribute (xattr) preservation logic uses multiple path-based system calls that perform fresh path-to-inode lookups for each operation. A local attacker with write access to the directory can exploit this race to swap files between calls, causing the destination file to receive an inconsistent mix of security xattrs, such as SELinux labels or file capabilities.

Affected packages (2)

crates.io/coreutilsfrom 0, <= 0.8.0
Debian/rust-coreutilsfrom 0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.7	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-35354
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-35354
PATCHhttps://github.com/uutils/coreutils
WEBhttps://github.com/uutils/coreutils/issues/10014