CVE-2026-35353 Overview
The mkdir utility in uutils coreutils contains a Time-of-Check Time-of-Use (TOCTOU) race condition vulnerability when using the -m flag for directory creation. The utility incorrectly applies permissions by first creating a directory with umask-derived permissions (typically 0755) before subsequently changing them to the requested mode via a separate chmod system call. This non-atomic operation introduces a brief window where a directory intended to be private is accessible to other users in multi-user environments, potentially leading to unauthorized data access.
Critical Impact
In multi-user environments, attackers with local access can exploit the brief permission window to access directories that should be private, potentially exposing sensitive data before the intended restrictive permissions are applied.
Affected Products
- uutils coreutils versions prior to 0.6.0
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-35353 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-35353
Vulnerability Analysis
This vulnerability is classified as CWE-367: Time-of-Check Time-of-Use (TOCTOU) Race Condition. The core issue lies in how the mkdir utility handles the -m (mode) flag. Rather than creating the directory with the specified permissions atomically, the implementation performs two separate system calls: first creating the directory with default umask-derived permissions, then modifying those permissions via chmod.
The security impact is focused on confidentiality exposure in shared computing environments. An attacker with local access can monitor for directory creation events and exploit the timing window between the initial creation and the subsequent permission change. While the window is brief, automated exploitation tools could potentially access or list directory contents before restrictive permissions are applied.
Root Cause
The root cause is the non-atomic handling of directory creation with custom permissions. The mkdir implementation in uutils coreutils separates the directory creation step from the permission assignment step, creating a race condition. The proper fix requires using the mkdir() system call with the correct mode from the outset, or ensuring the umask is temporarily modified to create the directory with restrictive permissions initially.
Attack Vector
This vulnerability requires local access to the system. An attacker must have user-level privileges on a multi-user system where the vulnerable mkdir utility is being used. The attack scenario involves:
- Monitoring for directory creation events using filesystem notification mechanisms (e.g., inotify)
- Rapidly accessing the newly created directory during the permission window
- Reading or listing sensitive contents before restrictive permissions are applied
The attack does not require user interaction and can be automated with relatively low complexity. However, successful exploitation depends on timing and the attacker's ability to access the target directory within the brief window before permissions are corrected.
Detection Methods for CVE-2026-35353
Indicators of Compromise
- Unexpected directory access events in audit logs where timestamps closely follow directory creation timestamps
- Filesystem monitoring tools detecting rapid access patterns to newly created directories by users other than the creator
- Log entries showing successful file reads or directory listings followed immediately by permission denied errors on subsequent attempts
Detection Strategies
- Enable filesystem auditing for directory creation and access events using auditd rules targeting mkdir and openat system calls
- Monitor for processes that appear to be watching filesystem events and rapidly accessing newly created directories
- Implement file integrity monitoring to detect unexpected access to sensitive directories
Monitoring Recommendations
- Configure auditd to log directory creation events with rule: -a always,exit -F arch=b64 -S mkdir -S mkdirat -k dir_create
- Review access logs for directories created with the -m flag for any access occurring within milliseconds of creation
- Monitor for suspicious use of filesystem notification APIs (inotify_add_watch) by non-administrative users
How to Mitigate CVE-2026-35353
Immediate Actions Required
- Update uutils coreutils to version 0.6.0 or later, which contains the fix for this vulnerability
- Audit systems to identify where uutils coreutils mkdir is used with the -m flag
- Consider using restrictive umask settings (umask 077) as a temporary workaround on multi-user systems
Patch Information
The vulnerability has been addressed in uutils coreutils version 0.6.0. The fix is available via the GitHub Pull Request #10036. Users should update to the 0.6.0 release or later to remediate this vulnerability.
Workarounds
- Set a restrictive umask (umask 077) before creating directories with sensitive content to minimize the permission exposure window
- Use GNU coreutils mkdir instead of uutils coreutils if available, as it handles the -m flag atomically
- Create directories in a protected parent directory with restricted permissions, then move or rename them to the final location
- Avoid using the -m flag and instead set permissions after directory creation with a manual chmod call when working with highly sensitive data
# Workaround: Set restrictive umask before directory creation
umask 077
mkdir /path/to/sensitive_directory
chmod 700 /path/to/sensitive_directory
# Alternative: Use GNU coreutils if available
/usr/bin/mkdir -m 700 /path/to/sensitive_directory
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
