CVE-2026-5958: CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition in GNU Sed
CVE-2026-5958 is a low-severity TOCTOU race condition vulnerability in GNU Sed versions up to 4. 1e when used with both -i (in-place edit) and --follow-symlinks options. The vulnerability arises because sed performs two separate filesystem operations on a symlink path non-atomically, allowing an attacker to replace the symlink target in the race window. This can cause sed to overwrite an arbitrary file with attacker-controlled content. The issue is fixed in GNU Sed version 4. 10.
AI Analysis
Technical Summary
GNU Sed versions prior to 4.10 contain a time-of-check to time-of-use (TOCTOU) race condition when invoked with -i and --follow-symlinks. The function open_next_file() first resolves the symlink target path and then opens the original symlink path to read the file, with a window between these operations. An attacker can exploit this race window by atomically swapping the symlink target, causing sed to read from one file but write output to a different, attacker-controlled file path. This can lead to arbitrary file overwrite under the privileges of the sed process. The vulnerability is tracked as CWE-367 and has a CVSS 4.0 score of 2.1 (low severity).
Potential Impact
An attacker able to manipulate symlinks accessible to the sed process can exploit this race condition to overwrite arbitrary files with attacker-controlled content. This could lead to unauthorized file modification or corruption. However, the impact is limited by the local access required to manipulate symlinks and the low CVSS score reflects the limited attack surface and complexity.
Mitigation Recommendations
This vulnerability is fixed in GNU Sed version 4.10. Users and administrators should upgrade to version 4.10 or later to remediate this issue. No official patch or temporary fix is indicated in the advisory, so upgrading is the recommended remediation. Until upgraded, avoid using sed with both -i and --follow-symlinks options on untrusted symlinks to reduce risk.
CVE-2026-5958: CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition in GNU Sed
Description
CVE-2026-5958 is a low-severity TOCTOU race condition vulnerability in GNU Sed versions up to 4. 1e when used with both -i (in-place edit) and --follow-symlinks options. The vulnerability arises because sed performs two separate filesystem operations on a symlink path non-atomically, allowing an attacker to replace the symlink target in the race window. This can cause sed to overwrite an arbitrary file with attacker-controlled content. The issue is fixed in GNU Sed version 4. 10.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
GNU Sed versions prior to 4.10 contain a time-of-check to time-of-use (TOCTOU) race condition when invoked with -i and --follow-symlinks. The function open_next_file() first resolves the symlink target path and then opens the original symlink path to read the file, with a window between these operations. An attacker can exploit this race window by atomically swapping the symlink target, causing sed to read from one file but write output to a different, attacker-controlled file path. This can lead to arbitrary file overwrite under the privileges of the sed process. The vulnerability is tracked as CWE-367 and has a CVSS 4.0 score of 2.1 (low severity).
Potential Impact
An attacker able to manipulate symlinks accessible to the sed process can exploit this race condition to overwrite arbitrary files with attacker-controlled content. This could lead to unauthorized file modification or corruption. However, the impact is limited by the local access required to manipulate symlinks and the low CVSS score reflects the limited attack surface and complexity.
Mitigation Recommendations
This vulnerability is fixed in GNU Sed version 4.10. Users and administrators should upgrade to version 4.10 or later to remediate this issue. No official patch or temporary fix is indicated in the advisory, so upgrading is the recommended remediation. Until upgraded, avoid using sed with both -i and --follow-symlinks options on untrusted symlinks to reduce risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- CERT-PL
- Date Reserved
- 2026-04-09T09:42:24.687Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e6190619fe3cd2cdecc9cc
Added to database: 4/20/2026, 12:16:06 PM
Last enriched: 4/20/2026, 12:31:17 PM
Last updated: 4/20/2026, 1:56:08 PM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.