CVE-2026-35360 Overview
The touch utility in uutils coreutils is vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition during file creation. When the utility identifies a missing path, it later attempts creation using File::create(), which internally uses O_TRUNC. An attacker can exploit this window to create a file or swap a symlink at the target path, causing touch to truncate an existing file and leading to permanent data loss.
Critical Impact
Local attackers with limited privileges can exploit the race condition window to cause permanent data loss by manipulating the target path between the existence check and file creation operations.
Affected Products
- uutils coreutils (touch utility)
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-35360 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-35360
Vulnerability Analysis
This vulnerability is classified as CWE-367: Time-of-Check Time-of-Use (TOCTOU) Race Condition. The fundamental issue arises from a temporal gap between when the touch utility checks for the existence of a file path and when it subsequently performs file operations on that path.
The touch utility first performs a check to determine if the target file exists. If the file does not exist, the utility later calls File::create() to create the file. However, File::create() in Rust uses the O_TRUNC flag internally, which truncates any existing file to zero length. This creates a race window that an attacker can exploit.
An attacker with local access can monitor for touch operations and, during the window between the existence check and the File::create() call, either create a file at the target path or swap in a symlink pointing to a sensitive file. When touch proceeds with File::create(), it will truncate whatever file now exists at that path—potentially destroying critical data.
Root Cause
The root cause is the separation of the file existence check from the subsequent file creation operation. The touch utility does not use atomic operations that would eliminate the race window. Instead of using a single atomic operation that creates the file only if it doesn't exist (like O_CREAT | O_EXCL), the current implementation performs a separate check followed by a create operation with O_TRUNC.
Attack Vector
The attack requires local access with low privileges. An attacker must be able to:
- Monitor the file system for touch operations targeting specific paths
- Have write access to the parent directory of the target path
- Create files or symlinks quickly enough to win the race condition
While the attack complexity is high due to the timing-sensitive nature of race conditions, successful exploitation leads to integrity and availability impacts through data truncation and permanent loss.
The attacker would typically create a monitoring process that watches for the target path check, then rapidly creates a symlink pointing to a victim file (such as configuration files, databases, or logs) before the touch utility completes its File::create() call.
Detection Methods for CVE-2026-35360
Indicators of Compromise
- Unexpected truncation of critical files to zero bytes with no corresponding legitimate write operations
- Presence of suspicious symlinks in directories where touch operations are commonly performed
- Rapid file system activity patterns indicating race condition exploitation attempts
- Log entries showing file access timing anomalies around touch utility operations
Detection Strategies
- Monitor file system integrity using tools that detect unexpected file size changes, particularly truncation to zero bytes
- Implement audit logging for symlink creation operations in sensitive directories
- Deploy file integrity monitoring (FIM) solutions to detect unauthorized modifications to critical files
- Use system call tracing to identify suspicious patterns of stat() followed by rapid symlink operations
Monitoring Recommendations
- Enable detailed audit logging for file system operations involving the touch utility
- Configure alerts for zero-length file creation events affecting critical system files
- Monitor for unusual symlink creation patterns in directories commonly targeted by touch operations
- Implement baseline monitoring for expected touch utility usage to identify anomalous behavior
How to Mitigate CVE-2026-35360
Immediate Actions Required
- Review usage of the touch utility in automated scripts and cron jobs that may operate on predictable paths
- Implement directory-level access controls to limit who can create files or symlinks in sensitive locations
- Consider using alternative file creation methods that employ atomic operations until a patch is available
- Audit critical directories for unexpected symlinks that could be exploitation staging artifacts
Patch Information
No official patch has been confirmed at the time of this writing. Security teams should monitor the uutils coreutils GitHub repository for updates and patch releases. The fix would likely involve using atomic file creation operations such as O_CREAT | O_EXCL instead of the current two-step check-then-create approach.
Workarounds
- Restrict write permissions on parent directories where touch is expected to create files
- Use filesystem-level immutable attributes on critical files that should never be truncated
- Implement mandatory access control (MAC) policies using SELinux or AppArmor to limit touch utility operations
- Replace touch usage in security-critical scripts with atomic file creation alternatives
For scripts requiring touch-like functionality, consider using atomic alternatives:
# Alternative: Use set -o noclobber and redirection for atomic creation
# This prevents clobbering existing files
set -o noclobber
: > "$target_file" 2>/dev/null || true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
