This vulnerability involves a Time-of-Check to Time-of-Use (TOCTOU) race condition in the mkfifo utility of uutils coreutils. The utility first creates a FIFO special file and then performs a chmod on the path to set permissions. Because these two operations are separate, an attacker with write access to the parent directory can replace the FIFO with a symbolic link pointing to an arbitrary file between creation and chmod. Consequently, the chmod operation is applied to the target of the symbolic link instead of the FIFO, potentially enabling privilege escalation if mkfifo is executed with elevated privileges. The CVSS 3.1 base score is 7.0, indicating high severity, with attack vector local, attack complexity high, privileges required low, no user interaction, and high impact on confidentiality, integrity, and availability. No patch or vendor advisory detailing remediation is currently available.

If exploited, this vulnerability allows a local attacker with write access to the parent directory to redirect the chmod operation to arbitrary files via symbolic link manipulation. This can lead to unauthorized modification of file permissions on arbitrary files, potentially resulting in privilege escalation when mkfifo is run with elevated privileges. The impact affects confidentiality, integrity, and availability at a high level according to the CVSS score.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, avoid running the mkfifo utility from uutils coreutils with elevated privileges in environments where untrusted users have write access to the parent directory. Consider using alternative, trusted utilities or implementing access controls to prevent unauthorized directory modifications.