CVE-2026-35342 Overview
The mktemp utility in uutils coreutils fails to properly handle an empty TMPDIR environment variable. Unlike GNU mktemp, which falls back to /tmp when TMPDIR is an empty string, the uutils implementation treats the empty string as a valid path. This causes temporary files to be created in the current working directory (CWD) instead of the intended secure temporary directory. If the CWD is more permissive or accessible to other users than /tmp, it may lead to unintended information disclosure or unauthorized access to temporary data.
Critical Impact
Temporary files may be created in world-readable or shared directories, potentially exposing sensitive data to unauthorized users when the current working directory has weaker permissions than the intended /tmp location.
Affected Products
- uutils coreutils versions prior to 0.6.0
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-35342 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-35342
Vulnerability Analysis
This vulnerability is classified under CWE-377 (Insecure Temporary File). The core issue stems from improper handling of the TMPDIR environment variable when it is set to an empty string. The mktemp utility is designed to create temporary files and directories in a secure location, typically /tmp. However, the uutils implementation diverges from the expected GNU behavior by interpreting an empty TMPDIR value as a valid directory path rather than falling back to the default /tmp directory.
When TMPDIR is empty, the resulting file path becomes relative, causing temporary files to be created in whatever directory the user or process is currently operating in. This behavior can have security implications in multi-user environments or when scripts run in directories with permissive access controls.
Root Cause
The root cause lies in the path resolution logic within the uutils mktemp implementation. When checking the TMPDIR environment variable, the code does not distinguish between an unset variable and an empty string value. GNU mktemp treats both cases identically by defaulting to /tmp, but uutils proceeds with the empty string, which resolves to the current working directory when constructing file paths.
Attack Vector
This is a local attack vector requiring specific environmental conditions. An attacker would need to:
- Ensure the target application or script uses uutils mktemp rather than GNU coreutils
- Manipulate the TMPDIR environment variable to be an empty string (either directly or through environment inheritance)
- Position the target process to execute in a directory where the attacker has read access
The vulnerability allows an attacker to potentially read temporary files containing sensitive information if those files are created in a shared or world-readable directory. Since the exploitation requires local access and specific environmental configuration, the practical impact is limited but could be significant in certain deployment scenarios such as shared hosting environments or multi-user systems.
Detection Methods for CVE-2026-35342
Indicators of Compromise
- Temporary files appearing in unexpected directories outside of /tmp or /var/tmp
- Applications or scripts creating files with predictable naming patterns in user-accessible directories
- Presence of TMPDIR="" in environment configurations or shell profiles
Detection Strategies
- Monitor file creation events in directories that should not contain temporary files
- Audit environment variable settings in startup scripts and system configurations for empty TMPDIR values
- Review system logs for applications that rely on mktemp creating files in unexpected locations
Monitoring Recommendations
- Implement file integrity monitoring on sensitive directories to detect unexpected temporary file creation
- Configure security tools to alert on processes setting TMPDIR to an empty string
- Periodically audit installed coreutils package versions to ensure patched versions are deployed
How to Mitigate CVE-2026-35342
Immediate Actions Required
- Upgrade uutils coreutils to version 0.6.0 or later which includes the fix
- Audit system configurations and scripts for instances where TMPDIR may be set to an empty string
- Ensure critical applications explicitly set TMPDIR to a secure value rather than relying on fallback behavior
Patch Information
The vulnerability has been addressed in uutils coreutils version 0.6.0. The fix ensures that the mktemp utility properly falls back to /tmp when TMPDIR is an empty string, matching GNU coreutils behavior. For technical details on the fix implementation, see the GitHub Pull Request #10566. The patched release is available at GitHub Release 0.6.0.
Workarounds
- Set TMPDIR explicitly to /tmp in shell profiles and application configurations to avoid relying on fallback behavior
- Unset TMPDIR entirely rather than setting it to an empty string if the default /tmp behavior is desired
- Use wrapper scripts that validate and sanitize the TMPDIR value before invoking mktemp
# Workaround: Ensure TMPDIR is properly set before using mktemp
# Add to shell profile or script initialization
if [ -z "${TMPDIR:-}" ] || [ ! -d "$TMPDIR" ]; then
export TMPDIR="/tmp"
fi
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
