CVE-2026-35355

low-risk

Published 2026-04-22

The install utility in uutils coreutils is vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition during file installation. The implementation unlinks an existing destination file and then recreates it using a path-based operation without the O_EXCL flag. A local attacker can exploit the window between the unlink and the subsequent creation to swap the path with a symbolic link, allowing them to redirect privileged writes to overwrite arbitrary system files.

Do I need to act?

0.01% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.3/10 Medium

LOCAL / HIGH complexity

Affected Products (1)

Coreutils

Affected Vendors

Uutils

References (3)

Exploit https://github.com/uutils/coreutils/pull/10067

Release Notes https://github.com/uutils/coreutils/releases/tag/0.6.0

Exploit https://github.com/uutils/coreutils/pull/10067

/ 100

low-risk

Severity 16/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal