CVE-2026-35376: CWE-367: Time-of-Check Time-of-Use (TOCTOU) Race Condition in Uutils coreutils
A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the chcon utility of uutils coreutils during recursive operations. The implementation resolves recursive targets using a fresh path lookup (via fts_accpath) rather than binding the traversal and label application to the specific directory state encountered during traversal. Because these operations are not anchored to file descriptors, a local attacker with write access to a directory tree can exploit timing-sensitive rename or symbolic link races to redirect a privileged recursive relabeling operation to unintended files or directories. This vulnerability breaks the hardening expectations for SELinux administration workflows and can lead to the unauthorized modification of security labels on sensitive system objects.
AI Analysis
Technical Summary
The vulnerability in uutils coreutils' chcon utility involves a TOCTOU race condition during recursive relabeling operations. Instead of anchoring traversal and label application to specific directory states via file descriptors, the implementation uses fresh path lookups (fts_accpath). This design flaw enables a local attacker with write permissions to race rename or symlink operations, causing privileged relabeling to be applied to unintended targets. This breaks SELinux hardening assumptions by allowing unauthorized modification of security labels on sensitive files or directories. The issue affects version 0 of the product and is not a cloud service. No known exploits are reported in the wild, and no vendor-provided patch or remediation guidance is currently available.
Potential Impact
The vulnerability can lead to unauthorized modification of SELinux security labels on sensitive system objects by exploiting a race condition during recursive relabeling. This compromises the integrity of SELinux hardening workflows, potentially weakening system security. The impact is limited to local attackers with write access to directory trees and requires high attack complexity. Confidentiality, integrity, and availability impacts are rated low to medium based on the CVSS vector.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict write access to directory trees where chcon recursive operations are performed to trusted users only. Avoid running recursive chcon operations in untrusted environments. Monitor vendor channels for official patches or updates addressing this TOCTOU vulnerability.
CVE-2026-35376: CWE-367: Time-of-Check Time-of-Use (TOCTOU) Race Condition in Uutils coreutils
Description
A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the chcon utility of uutils coreutils during recursive operations. The implementation resolves recursive targets using a fresh path lookup (via fts_accpath) rather than binding the traversal and label application to the specific directory state encountered during traversal. Because these operations are not anchored to file descriptors, a local attacker with write access to a directory tree can exploit timing-sensitive rename or symbolic link races to redirect a privileged recursive relabeling operation to unintended files or directories. This vulnerability breaks the hardening expectations for SELinux administration workflows and can lead to the unauthorized modification of security labels on sensitive system objects.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in uutils coreutils' chcon utility involves a TOCTOU race condition during recursive relabeling operations. Instead of anchoring traversal and label application to specific directory states via file descriptors, the implementation uses fresh path lookups (fts_accpath). This design flaw enables a local attacker with write permissions to race rename or symlink operations, causing privileged relabeling to be applied to unintended targets. This breaks SELinux hardening assumptions by allowing unauthorized modification of security labels on sensitive files or directories. The issue affects version 0 of the product and is not a cloud service. No known exploits are reported in the wild, and no vendor-provided patch or remediation guidance is currently available.
Potential Impact
The vulnerability can lead to unauthorized modification of SELinux security labels on sensitive system objects by exploiting a race condition during recursive relabeling. This compromises the integrity of SELinux hardening workflows, potentially weakening system security. The impact is limited to local attackers with write access to directory trees and requires high attack complexity. Confidentiality, integrity, and availability impacts are rated low to medium based on the CVSS vector.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict write access to directory trees where chcon recursive operations are performed to trusted users only. Avoid running recursive chcon operations in untrusted environments. Monitor vendor channels for official patches or updates addressing this TOCTOU vulnerability.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- canonical
- Date Reserved
- 2026-04-02T12:58:56.088Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e8f7d519fe3cd2cdd00d98
Added to database: 4/22/2026, 4:31:17 PM
Last enriched: 4/22/2026, 4:47:22 PM
Last updated: 4/22/2026, 7:01:09 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.