CVE-2026-35362 Overview
A Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability exists in the safe_traversal module of uutils coreutils. The module, designed to protect against symlink races using file-descriptor-relative syscalls, is incorrectly limited to Linux targets only. On other Unix-like systems such as macOS and FreeBSD, the utility fails to utilize these protections, leaving directory traversal operations vulnerable to symlink race conditions that could allow attackers to manipulate file operations.
Critical Impact
Local attackers with low privileges can exploit TOCTOU race conditions during directory traversal operations on non-Linux Unix systems (macOS, FreeBSD), potentially leading to unauthorized file access or modification through symlink manipulation.
Affected Products
- uutils coreutils (versions prior to 0.6.0) on macOS
- uutils coreutils (versions prior to 0.6.0) on FreeBSD
- uutils coreutils (versions prior to 0.6.0) on other non-Linux Unix-like systems
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-35362 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-35362
Vulnerability Analysis
This vulnerability stems from CWE-367 (Time-of-Check Time-of-Use Race Condition), a classic race condition pattern where a security check is performed, but the state of the system changes between the check and the subsequent use of the resource.
The safe_traversal module in uutils coreutils was designed to provide protection against TOCTOU symlink races by using file-descriptor-relative syscalls (such as openat(), fstatat(), and similar functions). These syscalls allow operations to be performed relative to an already-opened directory file descriptor, preventing race conditions where an attacker could swap a directory for a symlink between the time a path is checked and when it's used.
However, due to incorrect platform-specific compilation directives, these protective measures are only enabled on Linux targets. When the coreutils utilities run on macOS, FreeBSD, or other Unix-like operating systems, the safer file-descriptor-relative syscalls are not utilized, falling back to potentially vulnerable path-based operations.
Root Cause
The root cause is a conditional compilation issue where the safe_traversal module's TOCTOU protections are gated behind Linux-specific target checks. The code likely uses Rust's #[cfg(target_os = "linux")] or similar conditional compilation attributes, which excludes non-Linux Unix platforms from receiving the same security protections. This represents an incomplete implementation of cross-platform security controls, where the developers correctly identified and mitigated the TOCTOU risk on Linux but failed to extend these protections to other supported Unix-like platforms.
Attack Vector
The attack requires local access to the system with low privileges. An attacker can exploit this vulnerability through the following general approach:
- The attacker identifies a directory traversal operation performed by a uutils coreutils utility on a non-Linux Unix system
- A legitimate directory path is created that will be traversed by the utility
- The attacker monitors for the target operation to begin
- During the brief window between path validation and file operation, the attacker rapidly replaces a directory component with a symbolic link pointing to a sensitive location
- The utility, lacking TOCTOU protection on non-Linux systems, follows the symlink and operates on the attacker-controlled target
The attack complexity is high due to the precise timing required to win the race condition. For detailed technical information on the vulnerability and fix implementation, see the GitHub Pull Request Discussion.
Detection Methods for CVE-2026-35362
Indicators of Compromise
- Unexpected symbolic link creation or modification in directories used by uutils coreutils operations
- Unusual file access patterns where utilities access files outside expected directory hierarchies
- Process tracing showing rapid symlink swapping during directory traversal operations
Detection Strategies
- Monitor for rapid symlink creation and deletion patterns using file system auditing tools (auditd on Linux, dtrace on macOS/FreeBSD)
- Implement file integrity monitoring on sensitive directories to detect unexpected symlink appearances
- Review system logs for uutils coreutils operations that access unexpected file paths
Monitoring Recommendations
- Enable extended file system auditing on systems running uutils coreutils on non-Linux Unix platforms
- Deploy endpoint detection solutions capable of identifying TOCTOU attack patterns
- Monitor for anomalous process behavior during file operations, particularly symlink manipulation timing patterns
How to Mitigate CVE-2026-35362
Immediate Actions Required
- Upgrade uutils coreutils to version 0.6.0 or later on all affected non-Linux Unix systems
- Audit systems running uutils coreutils on macOS and FreeBSD to identify potentially affected deployments
- Consider temporarily using the traditional GNU coreutils on non-Linux systems until the upgrade is completed
Patch Information
The vulnerability has been addressed in uutils coreutils version 0.6.0. The fix extends the safe_traversal module's TOCTOU protections to all Unix-like platforms, not just Linux. Users should upgrade to version 0.6.0 or later to receive the security fix. For complete release information, see the GitHub Release Notes for version 0.6.0.
Workarounds
- Restrict local access to systems running vulnerable versions of uutils coreutils on non-Linux platforms
- Use GNU coreutils instead of uutils coreutils on macOS and FreeBSD until patching is complete
- Implement strict directory permissions and ownership controls to limit the directories where attackers could perform symlink manipulation
- Consider mounting sensitive file systems with noexec and restricting symlink creation where possible
# Verify uutils coreutils version
uutils --version
# If using Cargo, upgrade to the fixed version
cargo install coreutils --version ">=0.6.0"
# On systems using package managers, check for updates
# Example for Homebrew on macOS:
brew upgrade uutils-coreutils
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
