CVE-2026-35360
MEDIUMuutils coreutils touch Arbitrary File Truncation via TOCTOU Race Condition
Title source: cnaDescription
The touch utility in uutils coreutils is vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition during file creation. When the utility identifies a missing path, it later attempts creation using File::create(), which internally uses O_TRUNC. An attacker can exploit this window to create a file or swap a symlink at the target path, causing touch to truncate an existing file and leading to permanent data loss.
References (1)
Core 1
Core References
Issue Tracking issue-tracking
https://github.com/uutils/coreutils/issues/10019
Scores
CVSS v3
6.3
EPSS
0.0010
EPSS Percentile
1.3%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-367
Status
published
Products (3)
crates.io/coreutils
0crates.io
Uutils/coreutils
uutils/coreutils
Published
Apr 22, 2026
Tracked Since
Apr 22, 2026