CVE-2026-35359 Overview
A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the cp utility of uutils coreutils that allows an attacker to bypass no-dereference intent. The utility checks if a source path is a symbolic link using path-based metadata but subsequently opens it without the O_NOFOLLOW flag. An attacker with concurrent write access can swap a regular file for a symbolic link during this window, causing a privileged cp process to copy the contents of arbitrary sensitive files into a destination controlled by the attacker.
Critical Impact
Attackers with local access can exploit the race condition window to read arbitrary sensitive files by manipulating symbolic links during privileged copy operations.
Affected Products
- uutils coreutils cp utility (vulnerable versions)
Discovery Timeline
- 2026-04-22 - CVE-2026-35359 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-35359
Vulnerability Analysis
This TOCTOU vulnerability (CWE-59: Improper Link Resolution Before File Access) arises from a fundamental race condition in the cp utility's handling of symbolic links. The vulnerability requires local access and presents a high complexity exploitation scenario, but when successfully exploited, it can lead to complete confidentiality compromise of arbitrary files on the system.
The core issue lies in the separation between the security check and the file operation. When the cp utility processes a source file, it first performs a path-based metadata check to determine if the source is a symbolic link. This check is intended to honor the no-dereference behavior when specified. However, the subsequent file open operation does not use the O_NOFOLLOW flag, creating a window of opportunity between these two operations.
Root Cause
The root cause stems from the cp utility performing a two-phase operation where:
- The utility checks file metadata using path-based functions (e.g., lstat()) to determine if the source is a symbolic link
- The utility then opens the file for reading without passing O_NOFOLLOW to open()
This design violates the principle of atomicity in security-critical operations. Between the check and the use, the file system state can change, allowing an attacker to substitute a regular file with a symbolic link pointing to a sensitive target file.
Attack Vector
The attack requires local system access and the ability to write to the directory containing the source file. An attacker must win a race condition by:
- Creating a regular file that a privileged process (running as root or another user) will copy
- Monitoring for the cp operation to begin
- Quickly swapping the regular file for a symbolic link pointing to a sensitive file (e.g., /etc/shadow, SSH private keys, or other confidential data)
- If successful, the privileged cp process will copy the contents of the target file to the attacker-controlled destination
The attack is probabilistic due to the timing window, but can be made more reliable through techniques such as causing filesystem delays or exploiting slow network-mounted filesystems.
For additional technical details regarding this vulnerability, see the GitHub Issue Discussion for the uutils coreutils project.
Detection Methods for CVE-2026-35359
Indicators of Compromise
- Unusual symbolic link creation activity in directories where privileged copy operations occur
- Evidence of rapid file replacement patterns (file → symlink → file) in filesystem audit logs
- Sensitive files appearing in unexpected locations with ownership by unprivileged users
Detection Strategies
- Enable filesystem auditing (auditd) to monitor symlink(), unlink(), and rename() syscalls in sensitive directories
- Monitor for privileged cp processes accessing files in user-writable directories
- Implement file integrity monitoring (FIM) to detect unexpected changes to sensitive configuration files
Monitoring Recommendations
- Configure audit rules for directories where privileged copy operations regularly occur
- Deploy SentinelOne Singularity to detect anomalous file access patterns and potential race condition exploitation attempts
- Review process execution logs for cp operations running with elevated privileges on user-controlled paths
How to Mitigate CVE-2026-35359
Immediate Actions Required
- Avoid running privileged cp operations on files in directories where untrusted users have write access
- Use GNU coreutils instead of uutils coreutils until a patch is available
- Implement strict directory permissions to prevent untrusted users from modifying source file paths
Patch Information
No official patch has been released at the time of publication. Monitor the GitHub Issue Discussion for updates on the fix status. The proper remediation should involve using O_NOFOLLOW when opening files or using file descriptor-based operations (fstatat() with AT_SYMLINK_NOFOLLOW followed by operations on the same file descriptor) to eliminate the race window.
Workarounds
- Restrict privileged copy operations to directories with appropriate ownership and permissions (owned by root with no write access for unprivileged users)
- Use cp with explicit target validation by first copying to a secure temporary directory
- Consider using alternative file copy mechanisms that properly handle symbolic links atomically
# Restrict directory permissions to prevent exploitation
chmod 755 /path/to/source/directory
chown root:root /path/to/source/directory
# Alternative: Use rsync with symlink handling options
rsync -avP --no-links /source/file /destination/
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
