CVE-2026-35361
LOWuutils coreutils mknod Security Label Inconsistency and Broken Cleanup on SELinux Systems
Title source: cnaDescription
The mknod utility in uutils coreutils fails to handle security labels atomically by creating device nodes before setting the SELinux context. If labeling fails, the utility attempts cleanup using std::fs::remove_dir, which cannot remove device nodes or FIFOs. This leaves mislabeled nodes behind with incorrect default contexts, potentially allowing unauthorized access to device nodes that should have been restricted by mandatory access controls.
References (2)
Core 2
Core References
Patch issue-tracking
patch
https://github.com/uutils/coreutils/pull/10582
Vendor Advisory vendor-advisory
https://github.com/uutils/coreutils/releases/tag/0.6.0
Scores
CVSS v3
3.4
EPSS
0.0014
EPSS Percentile
3.8%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-281
CWE-459
Status
published
Products (3)
crates.io/coreutils
0 - 0.6.0crates.io
Uutils/coreutils
< 0.6.0
uutils/coreutils
< 0.6.0
Published
Apr 22, 2026
Tracked Since
Apr 22, 2026