CVE-2026-35362 LOW

CVE-2026-35362: uutils coreutils Missing TOCTOU Protection on Non-Linux Unix Platforms in Safe Traversal Module

Vendor Uutils
Product coreutils
Weakness CWE-367
Published April 22, 2026
Last update April 22, 2026

CVSS base score

3.6/10
Attack vector Local
Attack complexity High
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

The safe_traversal module in uutils coreutils, which provides protection against Time-of-Check to Time-of-Use (TOCTOU) symlink races using file-descriptor-relative syscalls, is incorrectly limited to Linux targets. On other Unix-like systems such as macOS and FreeBSD, the utility fails to utilize these protections, leaving directory traversal operations vulnerable to symlink race conditions.

Key dates

02Disclosure timeline

April 22, 2026 CVE published
April 22, 2026 Record updated