CVE-2026-35364

MEDIUM6.3EPSS 0.01%

uutils coreutils has a Time-of-check Time-of-use (TOCTOU) Race Condition

發布日:2026/4/22修改日:2026/6/2

也稱為:GHSA-m976-87wm-48fmCGA-rr3v-67m9-hhcm

描述

A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mv utility of uutils coreutils during cross-device operations. The utility removes the destination path before recreating it through a copy operation. A local attacker with write access to the destination directory can exploit this window to replace the destination with a symbolic link. The subsequent privileged move operation will follow the symlink, allowing the attacker to redirect the write and overwrite an arbitrary target file with contents from the source.

受影響套件(2)

crates.io/coreutilsfrom 0, <= 0.8.0
Debian/rust-coreutilsfrom 0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM6.3	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-35364
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-35364
PATCHhttps://github.com/uutils/coreutils
WEBhttps://github.com/uutils/coreutils/issues/10015