CVE-2026-35352 HIGH

CVE-2026-35352: uutils coreutils mkfifo Privilege Escalation via TOCTOU Race Condition

Vendor Uutils
Product coreutils
Weakness CWE-367
Published April 22, 2026
Last update May 4, 2026

CVSS base score

7.0/10
Attack vector Local
Attack complexity High
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mkfifo utility of uutils coreutils. The utility creates a FIFO and then performs a path-based chmod to set permissions. A local attacker with write access to the parent directory can swap the newly created FIFO for a symbolic link between these two operations. This redirects the chmod call to an arbitrary file, potentially enabling privilege escalation if the utility is run with elevated privileges.

Key dates

02Disclosure timeline

April 22, 2026 CVE published
May 4, 2026 Record updated