CVE-2026-35360

MEDIUM

uutils coreutils touch Arbitrary File Truncation via TOCTOU Race Condition

Title source: cna

Description

The touch utility in uutils coreutils is vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition during file creation. When the utility identifies a missing path, it later attempts creation using File::create(), which internally uses O_TRUNC. An attacker can exploit this window to create a file or swap a symlink at the target path, causing touch to truncate an existing file and leading to permanent data loss.

References (1)

[Issue Tracking] https://github.com/uutils/coreutils/issues/10019

Scores

CVSS v3 6.3

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H

Details

CWE

CWE-367

Status published

Products (1)

Uutils/coreutils

Published Apr 22, 2026

Tracked Since Apr 22, 2026