This vulnerability involves a Time-of-Check to Time-of-Use (TOCTOU) race condition in the mkfifo utility of the uutils coreutils project. The utility first creates a FIFO special file and subsequently performs a chmod operation on the path to set permissions. Because these two operations are not atomic, a local attacker with write permissions to the parent directory can replace the FIFO with a symbolic link to another file between creation and chmod. This causes the chmod to apply to the linked file instead, which may allow unauthorized modification of file permissions and potential privilege escalation if mkfifo is executed with elevated privileges. The CVSS 3.1 base score is 7.0, reflecting high impact on confidentiality, integrity, and availability, with attack vector local, high attack complexity, and low privileges required.

If exploited, this vulnerability can allow a local attacker with write access to the parent directory to escalate privileges by causing the chmod operation to affect arbitrary files via symbolic link substitution. This could lead to unauthorized modification of file permissions, potentially compromising system security. The vulnerability affects confidentiality, integrity, and availability as indicated by the CVSS score. There are no known exploits in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, avoid running the mkfifo utility from uutils coreutils with elevated privileges in environments where untrusted users have write access to the parent directory. Consider using alternative, trusted utilities that do not exhibit this race condition or apply manual operational controls to restrict directory write permissions.