CVE-2026-35352 — uutils coreutils has a Time-of-Check to Time-of-Use (TOCTOU) race condition

Description

A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mkfifo utility of uutils coreutils. The utility creates a FIFO and then performs a path-based chmod to set permissions. A local attacker with write access to the parent directory can swap the newly created FIFO for a symbolic link between these two operations. This redirects the chmod call to an arbitrary file, potentially enabling privilege escalation if the utility is run with elevated privileges.

How to fix CVE-2026-35352

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed
—no fix listed

Is CVE-2026-35352 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, <= 0.8.0
from 0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.0	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-35352
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-35352
PATCHgithub.com/uutils/coreutils
WEBgithub.com/uutils/coreutils/issues/10020
WEB