CVE-2026-35356 Overview
A Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability exists in the install utility of uutils coreutils when using the -D flag. The command creates parent directories and subsequently performs a second path resolution to create the target file, neither of which is anchored to a directory file descriptor. An attacker with concurrent write access can replace a path component with a symbolic link between these operations, redirecting the privileged write to an arbitrary file system location.
Critical Impact
Attackers with local access can exploit the race window to redirect privileged file writes to arbitrary locations, potentially leading to privilege escalation, arbitrary file overwrite, or system integrity compromise.
Affected Products
- uutils coreutils versions prior to 0.7.0
- Systems using the install utility with the -D flag in privileged contexts
Discovery Timeline
- 2026-04-22 - CVE-2026-35356 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-35356
Vulnerability Analysis
This vulnerability represents a classic Time-of-Check to Time-of-Use (TOCTOU) race condition (CWE-367) in the uutils coreutils implementation of the install command. When invoked with the -D flag, the utility first creates any missing parent directories in the destination path and then performs a separate operation to create and write to the target file.
The fundamental flaw lies in the fact that neither of these operations is anchored to a directory file descriptor. This means that between the directory creation phase and the file creation phase, there exists a race window during which an attacker with concurrent write access to any component of the path can substitute a path component with a symbolic link. This allows the attacker to redirect where the privileged write operation ultimately occurs.
Since the install utility is commonly used in privileged contexts (such as during software installation or deployment scripts running as root), successful exploitation could allow an attacker to write arbitrary content to sensitive system files, potentially leading to privilege escalation or system compromise.
Root Cause
The root cause is the absence of directory file descriptor anchoring during the two-phase operation of the -D flag functionality. When install -D is executed, the utility:
- Resolves the path and creates parent directories
- Re-resolves the path to create the target file
Between these two resolution operations, no mechanism prevents path components from being modified. The lack of atomic operations using directory file descriptors (such as openat() with O_NOFOLLOW and proper AT_* flags) creates the exploitable race window.
Attack Vector
The attack requires local access to the system and concurrent write permissions to at least one directory component in the target path. The attacker must:
- Monitor for privileged invocations of install -D
- Race to replace a path component with a symbolic link pointing to a target file (e.g., /etc/passwd, /etc/sudoers)
- Win the race window between directory creation and file write operations
The local attack vector with high complexity requirements reflects the precise timing needed to exploit this race condition. However, automated exploitation tools could increase the success rate through repeated attempts.
Detection Methods for CVE-2026-35356
Indicators of Compromise
- Unexpected symbolic links appearing in paths commonly used with install -D commands
- Modification timestamps on critical system files coinciding with software installation activities
- Anomalous file permission or ownership changes on sensitive system configuration files
Detection Strategies
- Monitor for rapid symlink creation operations in directories where install -D operations are expected
- Implement file integrity monitoring (FIM) on critical system files to detect unauthorized modifications
- Audit install command invocations with the -D flag in privileged contexts
- Use SentinelOne's behavioral analysis to detect suspicious symlink manipulation patterns during installation processes
Monitoring Recommendations
- Enable detailed filesystem auditing on installation directories and target paths
- Configure real-time alerts for symlink creation in sensitive directory hierarchies
- Monitor process execution chains involving the install utility with elevated privileges
How to Mitigate CVE-2026-35356
Immediate Actions Required
- Upgrade uutils coreutils to version 0.7.0 or later which addresses this vulnerability
- Review deployment scripts and automation that use install -D in privileged contexts
- Restrict write permissions on directories where privileged installations occur
- Consider using alternative installation methods that are not affected by this race condition
Patch Information
The vulnerability has been addressed in uutils coreutils version 0.7.0. The fix implements proper anchoring using directory file descriptors to prevent symlink injection between the two-phase operations. Detailed information about the patch is available in the GitHub Pull Request #10140 and the version 0.7.0 release notes.
Workarounds
- Ensure installation target directories have restricted write permissions (root-only or dedicated service accounts)
- Use the --no-target-directory flag where applicable to reduce path traversal risks
- Implement filesystem protections such as immutable attributes on critical directories
- Consider running privileged installations in isolated environments or containers where attackers cannot gain concurrent write access
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
