CVE-2026-35376 Overview
A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the chcon utility of uutils coreutils during recursive operations. The implementation resolves recursive targets using a fresh path lookup (via fts_accpath) rather than binding the traversal and label application to the specific directory state encountered during traversal. Because these operations are not anchored to file descriptors, a local attacker with write access to a directory tree can exploit timing-sensitive rename or symbolic link races to redirect a privileged recursive relabeling operation to unintended files or directories. This vulnerability breaks the hardening expectations for SELinux administration workflows and can lead to the unauthorized modification of security labels on sensitive system objects.
Critical Impact
Local attackers can exploit race conditions during recursive SELinux label operations to modify security contexts on unintended system files, potentially undermining mandatory access control protections.
Affected Products
- uutils coreutils (versions prior to 0.8.0)
- Systems using chcon utility for SELinux context management
- Linux systems with SELinux enabled running vulnerable uutils coreutils
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-35376 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-35376
Vulnerability Analysis
This vulnerability is classified as CWE-367 (Time-of-Check Time-of-Use Race Condition). The core issue lies in the architectural design of the chcon utility's recursive directory traversal mechanism. When processing directory trees recursively, the utility performs a security check on a path and then subsequently operates on that same path using a fresh lookup. This creates a window of opportunity between the check and the use where the file system state can be modified by an attacker.
The exploitation requires local access and the ability to write to the target directory tree. An attacker can manipulate symbolic links or rapidly rename files during the race window to redirect the privileged relabeling operation to sensitive system files that should not be accessible. This attack pattern is particularly concerning in environments where SELinux is used for mandatory access control, as it can undermine the security guarantees provided by the security labeling system.
Root Cause
The root cause of this vulnerability is the use of path-based operations (fts_accpath) instead of file descriptor-based operations during recursive traversal. When the chcon utility traverses directories, it resolves paths at the time of the operation rather than anchoring operations to file descriptors obtained at discovery time. This design allows the underlying file system structure to change between when a file is discovered and when the security label modification is applied.
The proper mitigation requires binding directory traversal and label application operations to specific file descriptors, ensuring that the operations are performed on the exact file system objects that were checked, regardless of any subsequent file system modifications.
Attack Vector
The attack leverages local access with write permissions to a directory tree being processed by a privileged chcon operation. The attacker creates a scenario where:
- A privileged process initiates a recursive chcon operation on a directory tree
- The attacker monitors for the traversal to reach a specific subdirectory
- During the race window between path resolution and label application, the attacker quickly replaces a directory or file with a symbolic link pointing to a sensitive target (e.g., /etc/shadow or system configuration files)
- The privileged chcon operation follows the symbolic link and applies the security context to the attacker-chosen target
This attack is timing-sensitive but can be reliably exploited with repeated attempts or by slowing down the target operation through system load manipulation.
Detection Methods for CVE-2026-35376
Indicators of Compromise
- Unexpected changes to SELinux security contexts on sensitive system files
- Audit logs showing chcon operations on files outside the intended directory scope
- Presence of rapidly changing symbolic links in directories being recursively processed
- SELinux denials followed by context modifications on protected files
Detection Strategies
- Monitor SELinux audit logs for unexpected setfilecon or lsetfilecon system calls on sensitive paths
- Implement file integrity monitoring on critical system files to detect unauthorized security label changes
- Review auditd logs for suspicious patterns of symlink creation followed by chcon operations
- Deploy inotify-based monitoring on sensitive directories to detect rapid file system changes during administrative operations
Monitoring Recommendations
- Enable comprehensive SELinux auditing with auditctl rules targeting context modification events
- Configure alerts for security context changes on files in /etc, /usr, and other system directories
- Implement real-time monitoring for symbolic link creation in directories commonly targeted for recursive operations
- Review privileged process activity logs for chcon commands executed on user-writable directory trees
How to Mitigate CVE-2026-35376
Immediate Actions Required
- Upgrade uutils coreutils to version 0.8.0 or later which contains the fix for this vulnerability
- Consider using the traditional GNU coreutils chcon implementation as a temporary alternative
- Restrict write access to directory trees that are subject to privileged recursive chcon operations
- Avoid running recursive chcon operations on directory trees that contain user-writable subdirectories
Patch Information
The vulnerability has been addressed in uutils coreutils version 0.8.0. The fix involves anchoring file system operations to file descriptors obtained during traversal rather than performing fresh path lookups. For detailed information about the patch implementation, refer to the GitHub Pull Request Discussion. Release notes are available in the GitHub Release Notes 0.8.0.
Workarounds
- Use GNU coreutils chcon instead of uutils coreutils version until upgrade is possible
- Implement wrapper scripts that verify directory ownership and permissions before executing recursive chcon operations
- Apply mandatory file locking on target directories during administrative operations when feasible
- Restrict recursive chcon operations to directory trees mounted with nosuid and noexec options where possible
# Example: Verify directory safety before recursive chcon
# Check that target directory has no user-writable subdirectories
find /target/directory -type d -perm -o+w -o -type l 2>/dev/null
# If no output, safer to proceed with recursive operation
# Consider using GNU coreutils chcon as mitigation
/usr/bin/chcon -R -t target_context_t /target/directory
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
