CVE-2026-35355 Overview
The install utility in uutils coreutils is vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition during file installation. The implementation unlinks an existing destination file and then recreates it using a path-based operation without the O_EXCL flag. A local attacker can exploit the window between the unlink and the subsequent creation to swap the path with a symbolic link, allowing them to redirect privileged writes to overwrite arbitrary system files.
Critical Impact
Local attackers can exploit this race condition to perform arbitrary file overwrites on the system, potentially leading to privilege escalation or system compromise through manipulation of critical system files.
Affected Products
- uutils coreutils (versions prior to 0.6.0)
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-35355 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-35355
Vulnerability Analysis
This vulnerability represents a classic Time-of-Check to Time-of-Use (TOCTOU) race condition, classified under CWE-367. The flaw exists in the file installation workflow of the uutils coreutils install utility. When installing a file to a destination that already exists, the utility performs two distinct operations: first, it unlinks (removes) the existing destination file, and second, it creates a new file at that path.
The critical security gap lies in the time window between these two operations. During this brief interval, the destination path is effectively "free" and can be manipulated by a concurrent process. An attacker with local access can monitor for this window and quickly create a symbolic link at the destination path pointing to a sensitive system file.
When the install utility proceeds with its file creation operation, it does not use the O_EXCL flag, which would fail if the file already exists. Instead, it follows the symlink and writes the content to wherever the symlink points. This allows the attacker to redirect privileged writes to arbitrary locations on the filesystem.
Root Cause
The root cause of this vulnerability is the non-atomic file replacement operation combined with the absence of the O_EXCL flag during file creation. The install utility separates the unlink and create operations, creating a vulnerable window where the filesystem path can be manipulated. Proper secure file operations should either use atomic rename operations or employ O_EXCL with appropriate symlink following controls to prevent this class of attack.
Attack Vector
The attack requires local access to the system and the ability to create files in the same directory where the install operation is taking place. The attacker must:
- Monitor the target directory for the install utility's unlink operation
- Quickly create a symbolic link at the destination path pointing to a sensitive system file (e.g., /etc/passwd, /etc/shadow, or system binaries)
- Allow the install utility to complete its write operation, which now follows the symlink
The race condition nature of this attack means it may require multiple attempts, but automated exploitation scripts can achieve reliable success rates. The impact can include complete system compromise if critical system files are overwritten.
Detection Methods for CVE-2026-35355
Indicators of Compromise
- Unexpected symbolic links appearing in directories where the install utility operates
- Modified system files with timestamps correlating to install operations
- Process traces showing rapid symlink creation immediately following unlink operations
Detection Strategies
- Monitor for suspicious symlink creation patterns using filesystem auditing tools such as auditd
- Implement file integrity monitoring on critical system files to detect unauthorized modifications
- Review logs for repeated failed or unusual install utility invocations that may indicate exploitation attempts
Monitoring Recommendations
- Enable auditd rules to track unlink, symlink, and open system calls in sensitive directories
- Deploy SentinelOne endpoint detection to identify anomalous file system operations consistent with TOCTOU exploitation
- Implement alerting for any modifications to critical system files outside of expected maintenance windows
How to Mitigate CVE-2026-35355
Immediate Actions Required
- Upgrade uutils coreutils to version 0.6.0 or later immediately
- Review systems for signs of exploitation, particularly unexpected changes to sensitive files
- Restrict local user access on systems where uutils coreutils is used for privileged file operations
Patch Information
The vulnerability has been addressed in uutils coreutils version 0.6.0. The fix implements atomic file operations with proper use of the O_EXCL flag to prevent symlink attacks during file installation. Administrators should update to this version or later to remediate the vulnerability.
For detailed information on the fix, refer to the GitHub Pull Request #10067 and the GitHub Release Version 0.6.0.
Workarounds
- Ensure the install utility is not run with elevated privileges when installing files to directories accessible by untrusted users
- Use dedicated directories with restricted permissions for file installation operations
- Consider temporarily reverting to GNU coreutils install if the patched version cannot be deployed immediately
- Implement directory-level access controls to prevent unauthorized users from creating files in target directories
# Example: Restrict directory permissions to prevent symlink attacks
chmod 755 /path/to/install/directory
chown root:root /path/to/install/directory
# Enable auditd monitoring for symlink operations
auditctl -w /path/to/install/directory -p wa -k toctou_monitor
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
