CVE-2026-35341
Permission Modification Vulnerability in uutils coreutils mkfifo
Publication date: 2026-04-22
Last updated on: 2026-04-24
Assigner: Canonical Ltd.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| uutils | coreutils | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-732 | The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the uutils coreutils mkfifo command. When mkfifo tries to create a FIFO (named pipe) but finds that a file already exists at the target path, it does not stop the operation. Instead, it proceeds to change the permissions of the existing file to the default mode (often 644 after applying umask).
Because of this behavior, the permissions of existing files can be modified without authorization, potentially exposing sensitive files to other users on the system.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized modification of file permissions on existing files. For example, sensitive files such as SSH private keys could have their permissions changed to be more permissive, allowing other users on the system to read them.
Such exposure of sensitive files can compromise system security, potentially allowing attackers or unauthorized users to gain access to confidential information or escalate privileges.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized modification of file permissions, potentially exposing sensitive files such as SSH private keys to other users on the system.
Exposure of sensitive files could lead to unauthorized access to protected data, which may result in non-compliance with data protection standards and regulations like GDPR and HIPAA that require safeguarding sensitive information.
Therefore, this vulnerability could negatively impact compliance by increasing the risk of data breaches or unauthorized data access.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized changes to file permissions, especially on sensitive files such as SSH private keys or system files like /etc/shadow.
One way to detect exploitation attempts is to watch for rapid creation and deletion of FIFOs and symbolic links in directories like /tmp, which may indicate an attacker trying to exploit the TOCTOU race condition.
Suggested commands to help detect suspicious activity include:
- Use auditd or inotifywait to monitor changes to sensitive files and directories.
- Run commands like `ls -l /path/to/sensitive/file` periodically to check for unexpected permission changes.
- Use `find / -type p -exec ls -l {} \;` to list existing FIFOs and check their permissions.
- Monitor for symlink creation in directories where mkfifo is used, e.g., `find /tmp -type l`.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting write permissions on directories where mkfifo is used to prevent attackers from creating malicious symlinks.
Avoid running mkfifo commands in untrusted directories or with untrusted input.
Apply updates or patches provided by the uutils coreutils project that address this TOCTOU race condition.
As a workaround, avoid using mkfifo without the -m flag, since the redundant chmod call is part of the vulnerability.
Monitor and audit file permission changes on sensitive files to detect any unauthorized modifications quickly.