CVE-2026-35354

MEDIUM4.7EPSS 0.01%

uutils coreutils has a Time-of-Check to Time-of-Use (TOCTOU) race condition

發布日:2026/4/22修改日:2026/6/2

也稱為:GHSA-x4mc-mqm7-gg39CGA-wh9c-cvv4-frq3

描述

A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the mv utility of uutils coreutils during cross-device moves. The extended attribute (xattr) preservation logic uses multiple path-based system calls that perform fresh path-to-inode lookups for each operation. A local attacker with write access to the directory can exploit this race to swap files between calls, causing the destination file to receive an inconsistent mix of security xattrs, such as SELinux labels or file capabilities.

受影響套件(2)

crates.io/coreutilsfrom 0, <= 0.8.0
Debian/rust-coreutilsfrom 0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM4.7	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-35354
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-35354
PATCHhttps://github.com/uutils/coreutils
WEBhttps://github.com/uutils/coreutils/issues/10014