CVE-2026-35342
Insecure Temporary File Creation in uutils mktemp Due to TMPDIR Handling
Publication date: 2026-04-22
Last updated on: 2026-05-04
Assigner: Canonical Ltd.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| uutils | coreutils | to 0.6.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-377 | Creating and using insecure temporary files can leave application and system data vulnerable to attack. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the mktemp utility of uutils coreutils, where it does not properly handle an empty TMPDIR environment variable. Unlike the GNU mktemp which defaults to using /tmp when TMPDIR is empty, uutils mktemp treats the empty string as a valid path. This causes temporary files to be created in the current working directory instead of a secure temporary directory.
As a result, if the current working directory has more permissive access controls or is accessible by other users, temporary files may be exposed unintentionally.
How can this vulnerability impact me? :
This vulnerability can lead to unintended information disclosure or unauthorized access to temporary data. Since temporary files are created in the current working directory rather than a secure temporary directory, other users with access to that directory might be able to read sensitive temporary files.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability causes temporary files to be created in the current working directory instead of a secure temporary directory like /tmp. If the current working directory has more permissive access controls, this may lead to unintended information disclosure or unauthorized access to temporary data.
Such unintended disclosure or unauthorized access to temporary data could potentially impact compliance with data protection regulations and standards such as GDPR or HIPAA, which require appropriate safeguards to protect sensitive information.
However, the CVE description does not explicitly mention compliance impacts or specific regulatory consequences.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking whether the mktemp utility from uutils coreutils is handling an empty TMPDIR environment variable incorrectly. Specifically, you can test if setting TMPDIR to an empty string causes temporary files to be created in the current working directory instead of /tmp.
A simple command to test this behavior is to run mktemp with TMPDIR set to an empty string and observe where the temporary file is created.
- TMPDIR= mktemp
If the output file is created in the current working directory rather than /tmp, the system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, avoid setting the TMPDIR environment variable to an empty string when using the uutils coreutils mktemp utility.
Alternatively, ensure that TMPDIR is either unset or set to a valid secure temporary directory such as /tmp.
Additionally, consider updating or patching the uutils coreutils package once a fix is available to ensure proper handling of TMPDIR.