CVE-2026-35354 Overview
A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the mv utility of uutils coreutils during cross-device moves. The extended attribute (xattr) preservation logic uses multiple path-based system calls that perform fresh path-to-inode lookups for each operation. A local attacker with write access to the directory can exploit this race condition to swap files between calls, causing the destination file to receive an inconsistent mix of security extended attributes, such as SELinux labels or file capabilities.
Critical Impact
Successful exploitation allows attackers to manipulate security-critical extended attributes (xattrs) including SELinux labels and file capabilities, potentially leading to privilege escalation or security policy bypass on affected systems.
Affected Products
- uutils coreutils (versions with vulnerable mv utility)
- Linux systems using uutils coreutils for file operations
- Systems relying on xattr-based security controls (SELinux, capabilities)
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-35354 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-35354
Vulnerability Analysis
This vulnerability is classified as CWE-367 (Time-of-Check Time-of-Use), a race condition that occurs when a program checks the state of a resource and then uses that resource, but the resource's state can change between the check and the use.
In the context of the uutils coreutils mv utility, the vulnerability manifests during cross-device move operations. When moving files across different filesystems, the utility must copy the file and its metadata (including extended attributes) rather than simply updating directory entries. The xattr preservation logic performs multiple path-based system calls, each of which resolves the path to an inode independently.
The attack requires local access and the ability to write to the directory containing the target file. By carefully timing file swaps between the individual xattr-related system calls, an attacker can cause the destination file to inherit an inconsistent set of security attributes from different source files.
Root Cause
The root cause lies in the non-atomic nature of extended attribute preservation during cross-device moves. Each path-based system call (getxattr, setxattr, etc.) performs a fresh path-to-inode resolution. This creates a time window where the underlying file can be replaced between operations.
The fundamental issue is the use of path-based operations instead of file descriptor-based operations (fgetxattr, fsetxattr) that would maintain a consistent reference to the same inode throughout the operation sequence. This architectural choice allows an attacker to exploit the race window between consecutive system calls.
Attack Vector
The attack vector requires local access to the system with write permissions to the directory being targeted. The attacker must be able to:
- Monitor or predict when a cross-device mv operation will occur
- Rapidly swap files in the directory during the xattr preservation window
- Time the swap to occur between individual xattr-related system calls
The vulnerability mechanism involves path-based system calls performing independent path-to-inode lookups. During cross-device moves, the xattr preservation logic iterates through extended attributes, and between each path resolution, an attacker with directory write access can swap the target file. This results in the destination receiving mixed security attributes from different source files, potentially inheriting elevated privileges or inappropriate SELinux contexts.
For detailed technical discussion, see the GitHub Issue Discussion.
Detection Methods for CVE-2026-35354
Indicators of Compromise
- Unexpected changes in file capabilities or SELinux contexts after move operations
- Audit log entries showing rapid file renames or swaps in directories where mv operations are occurring
- Files with security xattrs that don't match expected policies
Detection Strategies
- Monitor system calls related to xattr operations using auditd rules for getxattr, setxattr, and related syscalls
- Implement file integrity monitoring (FIM) to detect unexpected changes in security extended attributes
- Use SELinux or AppArmor policy violation alerts to identify files with unexpected security contexts
Monitoring Recommendations
- Enable detailed audit logging for file move operations across filesystems
- Monitor for unusual patterns of rapid file creation/deletion in sensitive directories
- Implement alerting for changes to file capabilities (security.capability xattr)
- Track SELinux AVC denials that may indicate files with manipulated contexts
How to Mitigate CVE-2026-35354
Immediate Actions Required
- Review and restrict write permissions on directories containing sensitive files
- Consider using alternative file utilities (GNU coreutils) for security-critical operations until a patch is available
- Implement additional access controls on directories where cross-device moves are performed
- Audit recent cross-device move operations for potential exploitation
Patch Information
Refer to the GitHub Issue Discussion for the latest information on patches and fixes. The resolution would involve using file descriptor-based xattr operations (fgetxattr, fsetxattr) instead of path-based operations to maintain a consistent inode reference throughout the attribute preservation process.
Workarounds
- Restrict directory write permissions to prevent untrusted users from swapping files during move operations
- Use cp followed by rm with explicit verification of file attributes instead of mv for cross-device operations
- Implement directory-level access controls (e.g., sticky bit) to prevent file manipulation by non-owners
- Consider mounting filesystems with nosuid and noexec options where appropriate to limit impact
# Configuration example - Restrict directory permissions
# Remove write access for group/others on sensitive directories
chmod 755 /path/to/sensitive/directory
# Enable sticky bit to prevent file manipulation by non-owners
chmod +t /path/to/shared/directory
# Audit rules for monitoring xattr operations
auditctl -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -k xattr_changes
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
