CVE-2026-5958: CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition in GNU Sed
When sed is invoked with both -i (in-place edit) and --follow-symlinks, the function open_next_file() performs two separate, non-atomic filesystem operations on the same path: 1. resolves symlink to its target and stores the resolved path for determining when output is written, 2. opens the original symlink path (not the resolved one) to read the file. Between these two calls there is a race window. If an attacker atomically replaces the symlink with a different target during that window, sed will: read content from the new (attacker-chosen) symlink target and write the processed result to the path recorded in step 1. This can lead to arbitrary file overwrite with attacker-controlled content in the context of the sed process. This issue was fixed in version 4.10.
AI Analysis
Technical Summary
The vulnerability occurs in GNU Sed when invoked with both the -i (in-place edit) and --follow-symlinks options. The function open_next_file() first resolves the symlink to its target and stores that path, then opens the original symlink path to read the file. Because these two filesystem operations are separate and non-atomic, an attacker can replace the symlink target in the race window between these calls. This leads sed to read from the new attacker-controlled target but write output to the originally resolved path, enabling arbitrary file overwrite. The flaw is classified as CWE-367 (Time-of-check Time-of-use race condition) and was addressed in version 4.10 of GNU Sed.
Potential Impact
An attacker with the ability to atomically replace symlinks during sed's operation can cause arbitrary file overwrite with content controlled by the attacker. This could lead to unauthorized modification of files in the context of the sed process. The CVSS 4.0 score is 2.1 (low severity), reflecting the local attack vector and limited impact scope. There are no known exploits in the wild.
Mitigation Recommendations
This vulnerability is fixed in GNU Sed version 4.10. Users should upgrade to version 4.10 or later to remediate this issue. No official patch or temporary fix is indicated in the advisory data. Until upgrading, avoid using sed with both -i and --follow-symlinks options on untrusted symlinks to reduce risk. Patch status is not explicitly confirmed beyond the fixed version; check the vendor advisory for the latest remediation guidance.
CVE-2026-5958: CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition in GNU Sed
Description
When sed is invoked with both -i (in-place edit) and --follow-symlinks, the function open_next_file() performs two separate, non-atomic filesystem operations on the same path: 1. resolves symlink to its target and stores the resolved path for determining when output is written, 2. opens the original symlink path (not the resolved one) to read the file. Between these two calls there is a race window. If an attacker atomically replaces the symlink with a different target during that window, sed will: read content from the new (attacker-chosen) symlink target and write the processed result to the path recorded in step 1. This can lead to arbitrary file overwrite with attacker-controlled content in the context of the sed process. This issue was fixed in version 4.10.
CVSS v4.0
Score 2.1low
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability occurs in GNU Sed when invoked with both the -i (in-place edit) and --follow-symlinks options. The function open_next_file() first resolves the symlink to its target and stores that path, then opens the original symlink path to read the file. Because these two filesystem operations are separate and non-atomic, an attacker can replace the symlink target in the race window between these calls. This leads sed to read from the new attacker-controlled target but write output to the originally resolved path, enabling arbitrary file overwrite. The flaw is classified as CWE-367 (Time-of-check Time-of-use race condition) and was addressed in version 4.10 of GNU Sed.
Potential Impact
An attacker with the ability to atomically replace symlinks during sed's operation can cause arbitrary file overwrite with content controlled by the attacker. This could lead to unauthorized modification of files in the context of the sed process. The CVSS 4.0 score is 2.1 (low severity), reflecting the local attack vector and limited impact scope. There are no known exploits in the wild.
Mitigation Recommendations
This vulnerability is fixed in GNU Sed version 4.10. Users should upgrade to version 4.10 or later to remediate this issue. No official patch or temporary fix is indicated in the advisory data. Until upgrading, avoid using sed with both -i and --follow-symlinks options on untrusted symlinks to reduce risk. Patch status is not explicitly confirmed beyond the fixed version; check the vendor advisory for the latest remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- CERT-PL
- Date Reserved
- 2026-04-09T09:42:24.687Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e6190619fe3cd2cdecc9cc
Added to database: 4/20/2026, 12:16:06 PM
Last enriched: 5/14/2026, 2:32:36 AM
Last updated: 6/4/2026, 3:36:57 PM
Views: 88
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.