CVE-2026-35359: CWE-367: Time-of-Check Time-of-Use (TOCTOU) Race Condition in Uutils coreutils
A Time-of-Check to Time-of-Use (TOCTOU) vulnerability in the cp utility of uutils coreutils allows an attacker to bypass no-dereference intent. The utility checks if a source path is a symbolic link using path-based metadata but subsequently opens it without the O_NOFOLLOW flag. An attacker with concurrent write access can swap a regular file for a symbolic link during this window, causing a privileged cp process to copy the contents of arbitrary sensitive files into a destination controlled by the attacker.
AI Analysis
Technical Summary
The vulnerability in Uutils coreutils' cp utility is a TOCTOU race condition (CWE-367) where the program first checks if a source path is a symbolic link but then opens the file without the O_NOFOLLOW flag. This gap allows an attacker with concurrent write access to replace the checked file with a symbolic link pointing to arbitrary sensitive files. Consequently, a privileged cp process may inadvertently copy sensitive file contents to an attacker-controlled destination. The CVSS 3.1 vector indicates the attack requires local access with high attack complexity and low privileges, no user interaction, and impacts confidentiality but not integrity or availability.
Potential Impact
The vulnerability can lead to unauthorized disclosure of sensitive file contents by tricking a privileged cp process into copying arbitrary files to attacker-controlled locations. This compromises confidentiality but does not affect integrity or availability. Exploitation requires local access with the ability to perform concurrent writes to the filesystem and is considered medium severity.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, avoid running the vulnerable cp utility with elevated privileges in environments where untrusted users have concurrent write access to source paths. Consider using alternative tools that properly handle symbolic links or implement manual checks to prevent TOCTOU conditions.
CVE-2026-35359: CWE-367: Time-of-Check Time-of-Use (TOCTOU) Race Condition in Uutils coreutils
Description
A Time-of-Check to Time-of-Use (TOCTOU) vulnerability in the cp utility of uutils coreutils allows an attacker to bypass no-dereference intent. The utility checks if a source path is a symbolic link using path-based metadata but subsequently opens it without the O_NOFOLLOW flag. An attacker with concurrent write access can swap a regular file for a symbolic link during this window, causing a privileged cp process to copy the contents of arbitrary sensitive files into a destination controlled by the attacker.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in Uutils coreutils' cp utility is a TOCTOU race condition (CWE-367) where the program first checks if a source path is a symbolic link but then opens the file without the O_NOFOLLOW flag. This gap allows an attacker with concurrent write access to replace the checked file with a symbolic link pointing to arbitrary sensitive files. Consequently, a privileged cp process may inadvertently copy sensitive file contents to an attacker-controlled destination. The CVSS 3.1 vector indicates the attack requires local access with high attack complexity and low privileges, no user interaction, and impacts confidentiality but not integrity or availability.
Potential Impact
The vulnerability can lead to unauthorized disclosure of sensitive file contents by tricking a privileged cp process into copying arbitrary files to attacker-controlled locations. This compromises confidentiality but does not affect integrity or availability. Exploitation requires local access with the ability to perform concurrent writes to the filesystem and is considered medium severity.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, avoid running the vulnerable cp utility with elevated privileges in environments where untrusted users have concurrent write access to source paths. Consider using alternative tools that properly handle symbolic links or implement manual checks to prevent TOCTOU conditions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- canonical
- Date Reserved
- 2026-04-02T12:58:56.087Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e8f7d319fe3cd2cdd00cf3
Added to database: 4/22/2026, 4:31:15 PM
Last enriched: 4/22/2026, 5:01:21 PM
Last updated: 4/23/2026, 2:35:05 AM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.