CVE-2026-35364 Overview
A Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability has been discovered in the mv utility of uutils coreutils during cross-device operations. The utility removes the destination path before recreating it through a copy operation, creating a window of opportunity for exploitation. A local attacker with write access to the destination directory can exploit this timing window to replace the destination with a symbolic link. The subsequent privileged move operation will follow the symlink, allowing the attacker to redirect the write and overwrite an arbitrary target file with contents from the source.
Critical Impact
Local attackers can exploit this race condition to overwrite arbitrary files on the system, potentially leading to privilege escalation or system compromise through targeted file overwrites.
Affected Products
- uutils coreutils mv utility (cross-device operations)
Discovery Timeline
- 2026-04-22 - CVE-2026-35364 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-35364
Vulnerability Analysis
This vulnerability is classified as CWE-367 (Time-of-Check Time-of-Use Race Condition). The flaw exists in how the mv utility handles cross-device move operations. When a file is moved across different filesystems, the operation cannot be performed as a simple rename system call. Instead, the utility must copy the file to the destination and then remove the source.
The vulnerable implementation first removes any existing file at the destination path, then performs the copy operation. This creates a critical timing window between the deletion of the destination and the creation of the new file. During this window, an attacker with write permissions to the destination directory can create a symbolic link pointing to a sensitive system file.
When the privileged mv operation subsequently writes the source file contents, it follows the attacker-controlled symlink and overwrites the target file. This can result in arbitrary file overwrites with attacker-influenced content, potentially compromising system integrity or enabling privilege escalation if critical system files are targeted.
Root Cause
The root cause is the non-atomic nature of the cross-device move operation. The implementation performs a delete-then-copy sequence without adequate safeguards against symlink injection during the timing window. The operation lacks the use of secure file handling APIs that would prevent following symlinks or ensure atomic operations at the destination path.
Attack Vector
The attack requires local access with write permissions to the destination directory. An attacker can monitor for cross-device move operations targeting a predictable destination path. By rapidly creating a symbolic link at the destination during the timing window between file deletion and recreation, the attacker can redirect the write operation to an arbitrary file on the system. The exploitation complexity is high due to the precise timing required, but successful exploitation can result in complete compromise of file integrity.
The attack flow involves:
- Monitoring for a privileged mv operation to a writable directory
- Winning the race condition by creating a symlink at the destination path after deletion but before the new file is written
- The privileged operation follows the symlink and writes content to the attacker-specified target file
Detection Methods for CVE-2026-35364
Indicators of Compromise
- Unexpected symbolic links appearing in directories where cross-device move operations occur
- Modified system files with timestamps correlating to mv operations
- Audit logs showing rapid file deletion followed by symlink creation in the same path
- Integrity check failures on critical system files
Detection Strategies
- Monitor for symlink creation in directories commonly used as move destinations
- Implement file integrity monitoring (FIM) on sensitive system files
- Use audit frameworks to track mv operations performed with elevated privileges
- Alert on rapid filesystem operations involving delete-symlink-write sequences
Monitoring Recommendations
- Enable Linux audit subsystem to log file operations in sensitive directories
- Deploy endpoint detection solutions capable of identifying TOCTOU exploitation patterns
- Monitor process execution chains for suspicious timing of filesystem operations
- Review logs for anomalous mv operations, particularly those crossing device boundaries
How to Mitigate CVE-2026-35364
Immediate Actions Required
- Review usage of uutils coreutils mv in privileged contexts
- Avoid cross-device move operations in directories writable by untrusted users
- Implement additional access controls on destination directories for sensitive operations
- Consider using atomic file operation alternatives where available
Patch Information
Monitor the GitHub Issue Report for official patches and updates from the uutils coreutils project. Update to a patched version once available from the maintainers.
Workarounds
- Restrict write access to destination directories used by privileged move operations
- Use cp followed by secure deletion instead of mv for cross-device operations in sensitive contexts
- Implement directory ownership checks before performing privileged file operations
- Consider mounting destination filesystems with the nosymfollow option where supported
Secure file operation practices should be implemented:
# Ensure destination directory is not writable by untrusted users
chmod 755 /secure/destination
chown root:root /secure/destination
# Verify no symlinks exist at destination before operations
test -L /destination/path && echo "Symlink detected - aborting"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
