CVE-2026-35354 MEDIUM

CVE-2026-35354: uutils coreutils mv Security Xattr TOCTOU Race in Cross-Device

Vendor Uutils
Product coreutils
Weakness CWE-367
Published April 22, 2026
Last update April 22, 2026

CVSS base score

4.7/10
Attack vector Local
Attack complexity High
Privileges required Low
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the mv utility of uutils coreutils during cross-device moves. The extended attribute (xattr) preservation logic uses multiple path-based system calls that perform fresh path-to-inode lookups for each operation. A local attacker with write access to the directory can exploit this race to swap files between calls, causing the destination file to receive an inconsistent mix of security xattrs, such as SELinux labels or file capabilities.

Key dates

02Disclosure timeline

April 22, 2026 CVE published
April 22, 2026 Record updated