CVE-2026-35341 Overview
A vulnerability in uutils coreutils mkfifo allows for the unauthorized modification of permissions on existing files. When mkfifo fails to create a FIFO because a file already exists at the target path, it fails to terminate the operation for that path and continues to execute a follow-up set_permissions call. This results in the existing file's permissions being changed to the default mode (often 644 after umask), potentially exposing sensitive files such as SSH private keys to other users on the system.
Critical Impact
Local attackers with low privileges can exploit this flaw to modify file permissions on arbitrary files, potentially exposing sensitive data like SSH private keys to unauthorized users.
Affected Products
- uutils coreutils (specific affected versions not disclosed)
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-35341 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-35341
Vulnerability Analysis
This vulnerability is classified under CWE-732 (Incorrect Permission Assignment for Critical Resource). The flaw resides in the mkfifo utility's error handling logic within the uutils coreutils implementation. When a user attempts to create a named pipe (FIFO) at a path where a file already exists, the mkfifo command correctly identifies the failure condition but does not properly terminate the operation sequence for that specific path.
The core issue is a logic error where the failure to create the FIFO does not prevent subsequent operations from executing. Specifically, a set_permissions call is executed even after the FIFO creation fails. This call applies the default permission mode (typically 644 after applying the system's umask) to the pre-existing file at the target path. This is problematic because the permissions are applied to a file that was never created by the current operation.
Root Cause
The root cause is improper error handling in the mkfifo implementation within uutils coreutils. The code path that handles FIFO creation failures does not adequately guard against executing the permission-setting logic that should only apply to newly created FIFOs. This represents a classic race condition vulnerability (TOCTOU - Time-of-Check Time-of-Use) combined with incorrect permission assignment, where the check for file existence and the permission modification are not atomically coordinated.
Attack Vector
The attack requires local access to the system with low-level privileges. An attacker can exploit this vulnerability by:
- Identifying a sensitive file with restrictive permissions (e.g., ~/.ssh/id_rsa with mode 600)
- Executing mkfifo targeting the path of the sensitive file
- While mkfifo fails to create the FIFO due to the existing file, the permission modification still executes
- The sensitive file's permissions are changed to a more permissive mode (e.g., 644), making it readable by other users
This can lead to unauthorized access to sensitive data such as SSH private keys, configuration files containing credentials, or other security-critical files. The attack surface is limited to local users, but in multi-user environments or containerized deployments sharing a filesystem, this vulnerability poses a significant risk.
Detection Methods for CVE-2026-35341
Indicators of Compromise
- Unexpected permission changes on sensitive files, particularly SSH keys, configuration files, or secret storage locations
- Audit logs showing mkfifo commands targeting paths to existing files rather than new FIFO locations
- Files with permissions loosened from restrictive modes (600, 400) to more permissive modes (644)
Detection Strategies
- Monitor audit logs (auditd on Linux) for mkfifo syscalls targeting existing file paths
- Implement file integrity monitoring (FIM) to detect unexpected permission changes on sensitive files
- Alert on anomalous chmod or permission modification events following failed mkfifo operations
Monitoring Recommendations
- Enable detailed system call auditing for the mknod system call family used by mkfifo
- Configure file integrity monitoring solutions to track permission changes on high-value files such as SSH keys and credential stores
- Establish baseline permissions for critical system files and alert on deviations
How to Mitigate CVE-2026-35341
Immediate Actions Required
- Review systems for uutils coreutils installations and identify affected versions
- Audit sensitive file permissions to detect any unauthorized modifications
- Consider temporarily restricting access to mkfifo or monitoring its usage closely until a patch is applied
Patch Information
Users should monitor the GitHub Issue Discussion for updates on official patches and remediation guidance. Update to a patched version of uutils coreutils when available. No vendor advisory with specific patch information has been released at this time.
Workarounds
- Use the GNU coreutils implementation of mkfifo instead of uutils coreutils until a fix is available
- Implement strict file permission monitoring on sensitive files to detect unauthorized changes
- Restrict mkfifo access to trusted users only through system policies or access control lists
# Example: Monitor permission changes on SSH keys
auditctl -w /home/*/.ssh/ -p wa -k ssh_permission_watch
# Example: Use inotifywait to monitor permission changes
inotifywait -m -e attrib /path/to/sensitive/files/
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
