CVE-2026-35352 Overview
A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mkfifo utility of uutils coreutils. The utility creates a FIFO and then performs a path-based chmod to set permissions. A local attacker with write access to the parent directory can swap the newly created FIFO for a symbolic link between these two operations. This redirects the chmod call to an arbitrary file, potentially enabling privilege escalation if the utility is run with elevated privileges.
Critical Impact
Local attackers can exploit this race condition to modify permissions on arbitrary files, potentially leading to privilege escalation when mkfifo runs with elevated privileges.
Affected Products
- uutils coreutils (mkfifo utility)
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-35352 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-35352
Vulnerability Analysis
This vulnerability is classified as CWE-367 (Time-of-Check Time-of-Use Race Condition). The flaw exists in the mkfifo utility's implementation within uutils coreutils, a Rust rewrite of GNU coreutils. The vulnerability occurs due to a temporal gap between two separate filesystem operations that are not performed atomically.
When the mkfifo utility creates a named pipe (FIFO), it first creates the FIFO at the specified path, then subsequently performs a separate chmod operation to set the desired permissions. This two-step process introduces a race window that can be exploited by an attacker with local access and write permissions to the parent directory.
Root Cause
The root cause is the non-atomic nature of the FIFO creation and permission setting operations. The utility performs a path-based chmod after creating the FIFO, rather than using file descriptor-based permission changes (such as fchmod) which would operate on the already-opened file handle. This path-based approach is vulnerable because the filesystem path can be manipulated between operations.
Attack Vector
The attack requires local access to the system and write permissions to the parent directory where the FIFO is being created. The attacker monitors for FIFO creation and quickly replaces the newly created FIFO with a symbolic link pointing to a target file. When the chmod operation executes, it follows the symlink and modifies permissions on the attacker-chosen target file instead of the original FIFO.
The exploitation sequence involves:
- The victim or privileged process invokes mkfifo with elevated privileges
- The FIFO is created at the specified path
- The attacker, running in a tight loop, detects the new FIFO and replaces it with a symlink to a sensitive file (e.g., /etc/shadow, system binaries)
- The chmod operation follows the symlink and changes permissions on the target file
- The attacker gains unauthorized access to the now-permissive target file
For technical details regarding this vulnerability, refer to the GitHub Issue Discussion.
Detection Methods for CVE-2026-35352
Indicators of Compromise
- Unexpected permission changes on sensitive system files without corresponding administrative activity
- Presence of symbolic links in directories where FIFOs are expected to be created
- Audit logs showing chmod operations on critical files originating from mkfifo processes
Detection Strategies
- Monitor filesystem activity for rapid creation and deletion of files followed by symlink creation in the same directory
- Implement file integrity monitoring on critical system files to detect unauthorized permission changes
- Enable comprehensive auditing of mkfifo and chmod system calls, particularly when executed by privileged processes
Monitoring Recommendations
- Configure auditd rules to track mkfifo and subsequent chmod operations: auditctl -w /path/to/monitored/dir -p wa
- Deploy endpoint detection solutions to identify process behavior consistent with TOCTOU exploitation patterns
- Review process execution logs for mkfifo invocations running with elevated privileges (SUID/SGID or sudo)
How to Mitigate CVE-2026-35352
Immediate Actions Required
- Avoid running mkfifo from uutils coreutils with elevated privileges until a patch is available
- Use GNU coreutils mkfifo as an alternative if available on the system
- Restrict write access to directories where FIFOs are created by privileged processes
- Apply the principle of least privilege to processes that invoke mkfifo
Patch Information
Patch information is currently being tracked in the GitHub Issue Discussion. Users should monitor this issue for updates on the official fix.
Workarounds
- Create FIFOs in directories where only the privileged user has write access
- Use the sticky bit on parent directories to prevent unauthorized file replacement: chmod +t /directory
- Implement wrapper scripts that use fchmod on the file descriptor rather than path-based permission changes
- Consider using alternative FIFO creation methods that perform atomic permission setting
# Workaround: Set sticky bit on directories used for FIFO creation
chmod +t /path/to/fifo/directory
# Alternative: Create FIFO in a protected directory
mkdir -p /var/run/myapp
chmod 700 /var/run/myapp
mkfifo /var/run/myapp/myfifo
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
