CVE-2026-35356

MEDIUM 6.3

uutils coreutils install Arbitrary File Overwrite with -D via Path Component Symlink Race

CVSS Score

6.3

EPSS Score

0.0%

EPSS Percentile

0th

A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the install utility of uutils coreutils when using the -D flag. The command creates parent directories and subsequently performs a second path resolution to create the target file, neither of which is anchored to a directory file descriptor. An attacker with concurrent write access can replace a path component with a symbolic link between these operations, redirecting the privileged write to an arbitrary file system location.

CWE	CWE-367
Vendor	uutils
Product	coreutils
Published	Apr 22, 2026
Last Updated	Apr 22, 2026

Stay Ahead of the Next One

Get instant alerts for uutils coreutils

Be the first to know when new medium vulnerabilities affecting uutils coreutils are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

Affected Versions

Uutils / coreutils

0 < 0.7.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/uutils/coreutils/pull/10140 github.com: https://github.com/uutils/coreutils/releases/tag/0.7.0

Credits

Zellic