CVE-2026-35374 Overview
A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the split utility of uutils coreutils. The program attempts to prevent data loss by checking for identity between input and output files using their file paths before initiating the split operation. However, the utility subsequently opens the output file with truncation after this path-based validation is complete. A local attacker with write access to the directory can exploit this race window by manipulating mutable path components (e.g., swapping a path with a symbolic link). This can cause split to truncate and write to an unintended target file, potentially including the input file itself or other sensitive files accessible to the process, leading to permanent data loss.
Critical Impact
Local attackers can exploit the race condition between path validation and file operations to cause permanent data loss by manipulating symbolic links, potentially affecting sensitive files or the input file itself.
Affected Products
- uutils coreutils (versions prior to security fix)
- Systems running the split utility from uutils coreutils
- Linux/Unix environments with the affected package installed
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-35374 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-35374
Vulnerability Analysis
This vulnerability is classified as CWE-367 (Time-of-Check Time-of-Use Race Condition). The fundamental issue lies in the temporal gap between when the split utility validates file paths and when it actually performs file operations.
The split utility implements a safety check to prevent users from accidentally overwriting their input file by comparing file paths. However, this check occurs at an earlier point in the execution flow than the actual file open operation. During this window, an attacker with write access to the directory can manipulate the filesystem—specifically by replacing a legitimate path component with a symbolic link pointing to a different file.
When the program proceeds to open the output file with truncation flags, it follows the now-modified path, potentially truncating and overwriting an unintended target file. This could include the original input file (defeating the very protection the check was meant to provide) or any other file the process has write access to.
Root Cause
The root cause is a path-based identity check that does not account for the mutable nature of filesystem paths. The validation relies on comparing string paths at check time, but these paths can be redirected through symbolic link manipulation before the actual file operations occur. The lack of file descriptor-based validation or atomic operations creates an exploitable race window.
Attack Vector
The attack requires local access with write permissions to the directory containing the target files. An attacker would:
- Identify when a user initiates a split operation on a file
- During the brief window after path validation but before file truncation, replace the output path or a component of it with a symbolic link
- The symbolic link redirects the write operation to a different target file
- The split utility truncates and writes to the unintended file, causing data loss
The attack is a classic symlink race attack pattern. The attacker must have precise timing or repeatedly attempt the manipulation to successfully exploit the race window. The vulnerability manifests in the file handling logic where output files are opened with truncation. For technical implementation details, see the GitHub Pull Request #11401 which addresses this issue.
Detection Methods for CVE-2026-35374
Indicators of Compromise
- Unexpected truncation or modification of files not related to the intended split operation
- Presence of suspicious symbolic links in directories where split operations are performed
- Audit logs showing file access patterns inconsistent with normal split usage
- Unexpected data loss in files that should not have been modified
Detection Strategies
- Monitor for rapid creation and deletion of symbolic links in directories where file operations occur
- Implement file integrity monitoring on sensitive files to detect unexpected modifications
- Use audit frameworks (e.g., auditd on Linux) to track symlink operations near split invocations
- Review process execution logs for split commands followed by unexpected file modifications
Monitoring Recommendations
- Enable filesystem auditing for symbolic link creation events in sensitive directories
- Implement real-time file integrity monitoring solutions to detect unauthorized file truncation
- Configure alerts for anomalous file permission changes or unexpected file deletions
- Deploy SentinelOne agents to detect and respond to suspicious filesystem manipulation patterns
How to Mitigate CVE-2026-35374
Immediate Actions Required
- Update uutils coreutils to the latest version containing the security fix
- Restrict write access to directories where sensitive split operations are performed
- Avoid running split operations in directories where untrusted users have write access
- Consider using absolute paths and restricting directory permissions during file operations
Patch Information
A fix for this vulnerability has been developed and is tracked in GitHub Pull Request #11401. Users should update to the patched version of uutils coreutils once the fix is merged and released. The patch addresses the race condition by implementing proper file identity verification that is resistant to path manipulation.
Workarounds
- Perform split operations in directories with restricted write access (only the executing user)
- Use dedicated temporary directories with chmod 700 permissions for file splitting operations
- Avoid using symbolic links in directory paths where split operations are performed
- Consider using container isolation to restrict filesystem access during sensitive operations
# Configuration example
# Create a secure temporary directory for split operations
mkdir -p /tmp/secure_split_$$
chmod 700 /tmp/secure_split_$$
# Perform split operation in the secured directory
cd /tmp/secure_split_$$
split -b 1M /path/to/input_file output_prefix_
# Clean up after operation
cd - && rm -rf /tmp/secure_split_$$
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
