CVE-2026-35361 Overview
The mknod utility in uutils coreutils contains a race condition vulnerability due to improper handling of security labels during device node creation. The utility creates device nodes before setting the SELinux context, and if the labeling operation fails, the cleanup attempt uses std::fs::remove_dir, which cannot remove device nodes or FIFOs. This results in mislabeled nodes persisting on the system with incorrect default contexts, potentially allowing unauthorized access to device nodes that should have been restricted by mandatory access controls.
Critical Impact
Mislabeled device nodes may bypass SELinux mandatory access controls, potentially allowing unauthorized local access to restricted hardware devices.
Affected Products
- uutils coreutils (versions prior to 0.6.0)
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-35361 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-35361
Vulnerability Analysis
This vulnerability is classified under CWE-281 (Improper Preservation of Permissions). The core issue lies in a Time-of-Check Time-of-Use (TOCTOU) race condition combined with an improper cleanup mechanism. When mknod creates a device node, the creation happens in two non-atomic steps: first, the node is created with default security labels, and second, the SELinux context is applied. This window between creation and labeling creates a vulnerability where the device node exists without proper security context.
The problem is compounded by a bug in the error handling path. When SELinux labeling fails, the utility attempts to clean up by removing the created node using std::fs::remove_dir. However, this function is designed to remove directories, not device nodes or FIFOs. As a result, failed cleanup leaves behind device nodes with incorrect default SELinux contexts.
Root Cause
The root cause is twofold: (1) the non-atomic creation and labeling of device nodes, and (2) the use of an inappropriate cleanup function (std::fs::remove_dir instead of std::fs::remove_file or the unlink syscall equivalent). The improper cleanup function silently fails when attempting to remove device nodes, leaving mislabeled special files on the filesystem.
Attack Vector
This vulnerability requires local access and high privileges to exploit, as creating device nodes typically requires root or elevated capabilities. An attacker with sufficient privileges could potentially exploit this by:
- Triggering a scenario where SELinux context labeling fails during device node creation
- The resulting device node remains with a permissive default context
- The mislabeled device node may then be accessible by processes that should have been restricted by the intended SELinux policy
The attack is limited to local exploitation scenarios where the attacker can influence the SELinux labeling process or timing. The vulnerability primarily affects systems using SELinux in enforcing mode where mandatory access controls are actively restricting device access.
Detection Methods for CVE-2026-35361
Indicators of Compromise
- Presence of device nodes or FIFOs with unexpected or default SELinux contexts in locations where restricted contexts should be applied
- SELinux audit logs showing avc: denied messages followed by successful access to the same resources
- Device nodes created by mknod that have the system default context rather than the expected target context
Detection Strategies
- Audit SELinux contexts on all device nodes using ls -Z /dev/* and compare against expected security policies
- Monitor for failed SELinux labeling operations in system logs (/var/log/audit/audit.log)
- Implement file integrity monitoring on /dev and other locations where device nodes are created
- Check uutils coreutils version to confirm whether the vulnerable version is installed
Monitoring Recommendations
- Enable SELinux audit logging and configure alerts for context assignment failures during device node creation
- Implement periodic scans to verify SELinux contexts on critical device nodes match security policy requirements
- Monitor for unexpected device nodes that persist after mknod execution failures
How to Mitigate CVE-2026-35361
Immediate Actions Required
- Upgrade uutils coreutils to version 0.6.0 or later, which contains the fix for this vulnerability
- Audit existing device nodes for incorrect SELinux contexts and relabel as necessary using restorecon
- Review any custom scripts or automation that use mknod from uutils coreutils to ensure proper error handling
Patch Information
The vulnerability has been addressed in uutils coreutils version 0.6.0. The fix ensures atomic handling of security labels during device node creation and uses the correct removal function for cleanup when labeling fails. For detailed information about the fix, see the GitHub Pull Request #10582 and the GitHub Release 0.6.0.
Workarounds
- Use the GNU coreutils mknod implementation instead of uutils coreutils until the upgrade can be performed
- Implement wrapper scripts that verify SELinux contexts after device node creation and perform manual cleanup if labeling fails
- Consider temporarily using chcon or restorecon immediately after mknod operations to ensure correct labeling
- For critical systems, audit device node creation operations and implement compensating controls to detect and remediate mislabeled nodes
# Verify SELinux contexts on device nodes
ls -Z /dev/your_device_node
# Restore correct SELinux context if needed
restorecon -v /dev/your_device_node
# Check installed uutils coreutils version
mknod --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
