CVE-2026-35345 Overview
A vulnerability exists in the tail utility of uutils coreutils that allows local attackers to exfiltrate sensitive file contents when the --follow=name option is in use. Unlike the GNU tail implementation, the uutils version continues to monitor a path after it has been replaced by a symbolic link, subsequently outputting the contents of the link's target file.
In environments where a privileged user (such as root) monitors a log directory, a local attacker with write access to that directory can exploit this behavior by replacing a legitimate log file with a symlink pointing to a sensitive system file (such as /etc/shadow). This causes the tail utility to disclose the contents of the sensitive target file to the attacker.
Critical Impact
Local attackers can leverage this symlink following vulnerability to read sensitive system files like /etc/shadow, potentially leading to credential theft and privilege escalation.
Affected Products
- uutils coreutils (tail utility with --follow=name option)
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-35345 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-35345
Vulnerability Analysis
This vulnerability is classified as CWE-59 (Improper Link Resolution Before File Access), commonly known as a symlink attack. The core issue stems from a behavioral difference between the uutils implementation of tail and the traditional GNU coreutils version.
When using the --follow=name option, GNU tail monitors the file path and stops following if the file is replaced with a symbolic link. However, the uutils implementation fails to perform adequate link resolution checks when the monitored path changes. This allows an attacker to swap a legitimate file with a symlink, causing tail to follow the link and output the contents of the target file.
The attack requires local access and write permissions to the directory being monitored, making it particularly dangerous in multi-user environments or systems where log directories have relaxed permissions.
Root Cause
The root cause lies in the improper handling of symbolic links during file path monitoring. When the --follow=name option is used, the uutils tail utility should verify that the file being followed has not been replaced with a symbolic link. The absence of this check allows the utility to follow symlinks to arbitrary files, breaking expected security boundaries.
Attack Vector
The attack is executed locally and requires the attacker to have write access to a directory that a privileged user is monitoring with tail --follow=name. The attack scenario proceeds as follows:
- An administrator runs tail --follow=name /var/log/app.log as root to monitor application logs
- A local attacker with write access to /var/log/ deletes or renames app.log
- The attacker creates a symbolic link: ln -s /etc/shadow /var/log/app.log
- The uutils tail continues following the path and outputs the contents of /etc/shadow
This attack exploits the Time-of-Check Time-of-Use (TOCTOU) race condition inherent in file monitoring operations that do not properly validate file types between checks.
Detection Methods for CVE-2026-35345
Indicators of Compromise
- Unexpected symbolic links appearing in log directories that were previously regular files
- Log monitoring processes (tail) reading files outside of expected directories
- Sudden appearance of symlinks pointing to sensitive files like /etc/shadow, /etc/passwd, or private key files
- Unusual file access patterns from privileged tail processes
Detection Strategies
- Monitor for symlink creation in directories typically used for logging (e.g., /var/log/)
- Implement auditd rules to track symlink creation and file replacements in sensitive directories
- Use file integrity monitoring (FIM) tools to detect unexpected changes to log files
- Enable SentinelOne behavioral analysis to detect suspicious file system operations
Monitoring Recommendations
- Configure alerts for any symlink creation in monitored log directories
- Audit processes running with elevated privileges that are performing file reads
- Implement real-time monitoring of log directory permissions and contents
- Review tail command usage in scripts and automated processes for --follow=name usage
How to Mitigate CVE-2026-35345
Immediate Actions Required
- Audit systems for usage of uutils coreutils tail with the --follow=name option
- Consider switching to GNU coreutils tail in production environments until a patch is available
- Restrict write permissions on log directories to prevent unauthorized file manipulation
- Avoid running tail with --follow=name as root when monitoring directories with relaxed permissions
Patch Information
A fix for this vulnerability is being tracked in the uutils coreutils GitHub repository. Organizations should monitor this issue for updates and apply patches when available. Until an official fix is released, implementing the workarounds below is strongly recommended.
Workarounds
- Use --follow=descriptor (or -f without =name) instead of --follow=name to follow the file descriptor rather than the path
- Switch to GNU coreutils tail which properly handles symlink replacements
- Implement strict directory permissions (mode 755 or more restrictive) on monitored directories
- Use a dedicated unprivileged user for log monitoring operations
- Implement directory monitoring with inotify-based tools that validate file types
# Configuration example
# Use file descriptor following instead of name following
tail -f /var/log/app.log
# Or explicitly use --follow=descriptor
tail --follow=descriptor /var/log/app.log
# Restrict permissions on log directories
chmod 755 /var/log/
chown root:root /var/log/
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
