CVE-2025-9810 is a Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability identified in the linenoise library, specifically in the linenoiseHistorySave function. Linenoise is a minimalistic line editing library often used in command-line interfaces and embedded systems. The vulnerability arises when the function attempts to save command history by opening a file for writing (using fopen with "w" mode) and then subsequently changing the file permissions with chmod(). An attacker with local access can exploit a race condition by creating a symbolic link (symlink) to an arbitrary file between these two operations. Because the check and use are not atomic, the fopen call writes to the symlink target file, and the chmod call changes its permissions, allowing the attacker to overwrite arbitrary files and modify their permissions. This can lead to unauthorized file modification and potential privilege escalation or system compromise. The vulnerability requires local access, does not require privileges, and no user interaction is needed. The CVSS 3.1 base score is 6.8 (medium severity), reflecting the local attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, no confidentiality impact, high integrity impact, and low availability impact. No known exploits are reported in the wild yet, and no patches have been linked at the time of publication.

For European organizations, this vulnerability poses a significant risk primarily in environments where linenoise is used, such as embedded systems, development tools, or custom command-line interfaces. The ability for a local attacker to overwrite arbitrary files and change permissions could lead to unauthorized code execution, privilege escalation, or disruption of critical services. This is particularly concerning for organizations with multi-user systems or shared environments where untrusted users may gain local access. The integrity of system files or application data could be compromised, potentially leading to data corruption or system instability. Although the attack requires local access, the ease of exploitation (low complexity, no privileges needed) increases the risk in environments where physical or remote local access is possible, such as shared workstations, developer machines, or containerized environments. The lack of confidentiality impact reduces the risk of data leakage, but the integrity and availability impacts could disrupt business operations or security controls.

To mitigate this vulnerability, European organizations should: 1) Audit and identify all systems and applications using the linenoise library, especially those exposing local user access. 2) Apply any available patches or updates from the linenoise project or vendor as soon as they become available. 3) If patches are not yet available, consider implementing workarounds such as restricting local user permissions to prevent untrusted users from creating symlinks or accessing the history save functionality. 4) Employ filesystem monitoring to detect unexpected changes to critical files or permissions that could indicate exploitation attempts. 5) Use mandatory access controls (e.g., AppArmor, SELinux) to limit the ability of processes using linenoise to modify arbitrary files. 6) Educate system administrators and developers about the risks of TOCTOU race conditions and encourage secure coding practices to avoid similar vulnerabilities. 7) Limit local access to trusted users only and enforce strong authentication and session controls to reduce the attack surface.