CVE-2026-35357 MEDIUM

CVE-2026-35357: uutils coreutils cp Information Disclosure via Permission Handling Race

Vendor Uutils
Product coreutils
Weakness CWE-367
Published April 22, 2026
Last update April 22, 2026

CVSS base score

4.7/10
Attack vector Local
Attack complexity High
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

The cp utility in uutils coreutils is vulnerable to an information disclosure race condition. Destination files are initially created with umask-derived permissions (e.g., 0644) before being restricted to their final mode (e.g., 0600) later in the process. A local attacker can race to open the file during this window; once obtained, the file descriptor remains valid and readable even after the permissions are tightened, exposing sensitive or private file contents.

Key dates

02Disclosure timeline

April 22, 2026 CVE published
April 22, 2026 Record updated