CVE-2026-35357

MEDIUM 4.7

uutils coreutils cp Information Disclosure via Permission Handling Race

CVSS Score

4.7

EPSS Score

0.0%

EPSS Percentile

0th

The cp utility in uutils coreutils is vulnerable to an information disclosure race condition. Destination files are initially created with umask-derived permissions (e.g., 0644) before being restricted to their final mode (e.g., 0600) later in the process. A local attacker can race to open the file during this window; once obtained, the file descriptor remains valid and readable even after the permissions are tightened, exposing sensitive or private file contents.

CWE	CWE-367
Vendor	uutils
Product	coreutils
Published	Apr 22, 2026
Last Updated	Apr 22, 2026

Stay Ahead of the Next One

Get instant alerts for uutils coreutils

Be the first to know when new medium vulnerabilities affecting uutils coreutils are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

Uutils / coreutils

All versions affected

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/uutils/coreutils/issues/10011

Credits

Zellic