How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves a race condition in the mkdir utility when using the -m flag, where directories are briefly created with permissions derived from the umask before being changed to the requested mode. Detection involves checking if directories created with mkdir -m have a brief window of more permissive access than intended.

To detect this on your system, you can monitor directory creation events and verify permissions immediately after creation. However, since the window is very brief, direct detection via commands is challenging.

One approach is to audit or log mkdir system calls with permission flags, or use filesystem monitoring tools like inotify to watch for directory creation and check permissions.

Specific commands to check directory permissions after creation include:

• Use inotifywait to monitor directory creation: inotifywait -m -e create --format '%w%f' /path/to/watch
• Check permissions immediately after creation: ls -ld /path/to/watch/new_directory
• Audit mkdir usage with auditd by adding a rule: auditctl -w /usr/bin/mkdir -p

Because the vulnerability is a race condition occurring during directory creation, detection is best done by ensuring the mkdir utility is updated to the fixed version rather than relying solely on runtime detection.

Useful 0 Not Useful 0

Can you explain this vulnerability to me?

The vulnerability exists in the mkdir utility of uutils coreutils when using the -m flag to set directory permissions. Instead of directly creating the directory with the requested permissions, mkdir first creates the directory with default permissions derived from the system's umask (usually 0755), then changes the permissions afterward using a separate chmod call. This creates a brief time window where the directory has more permissive access than intended.

In multi-user environments, this means that a directory meant to be private could be temporarily accessible to other users, potentially exposing sensitive data.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can lead to unauthorized data access because directories intended to be private may be briefly accessible to other users on the system. If sensitive information is stored in these directories, other users could potentially view or access that data during the short window before permissions are corrected.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability in the mkdir utility causes directories to be briefly created with more permissive access than intended, potentially allowing unauthorized users to access private directories. This temporary exposure of data could lead to non-compliance with standards and regulations such as GDPR and HIPAA, which require strict controls on access to sensitive or personal data to prevent unauthorized disclosure.

Specifically, the brief window where directory permissions are not correctly applied may violate principles of data confidentiality and access control mandated by these regulations.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to update the uutils coreutils package to a version that includes the fix for CVE-2026-35353.

The fix involves modifying mkdir to create directories atomically with the correct permissions by temporarily disabling the process umask during the mkdir syscall, eliminating the race condition.

Until the update is applied, avoid using mkdir with the -m flag in multi-user environments where directory permissions are critical, or manually set permissions after creation with caution.

Additionally, consider restricting access to the mkdir utility or running directory creation commands in controlled environments to minimize exposure.

Useful 0 Not Useful 0