Executive Summary

This vulnerability exists in the install utility of uutils coreutils and is a Time-of-Check to Time-of-Use (TOCTOU) race condition during file installation.

The utility first unlinks (deletes) an existing destination file and then recreates it without using the O_EXCL flag, which is meant to prevent race conditions.

Because of this, a local attacker can exploit the time window between the unlinking and the file creation by swapping the intended file path with a symbolic link.

This allows the attacker to redirect privileged writes to overwrite arbitrary system files.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow a local attacker to overwrite arbitrary system files with privileged writes.

Such unauthorized overwriting can lead to system compromise, including potential privilege escalation or disruption of system operations.

The CVSS score of 6.3 indicates a medium severity impact, with high impact on integrity and availability.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability is a local Time-Of-Check to Time-Of-Use (TOCTOU) race condition in the `install` utility of uutils coreutils, which involves file operations and symbolic link manipulation.

Detection involves checking if the vulnerable version of the `install` utility is present and potentially testing for the race condition by attempting to exploit the window between unlinking and file creation.

A practical approach includes verifying the version of uutils coreutils installed and running tests similar to the one added in the fix, such as `test_install_replaces_symlink()`, which checks if the `install` command follows symlinks during file replacement.

While no specific commands are provided, you can check the version of the `install` utility with commands like `install --version` or by inspecting the package version of uutils coreutils.

Additionally, manual testing based on the exploit scenario (e.g., creating a symlink and attempting to replace a file using `install`) can help detect if the vulnerability exists.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to update the `install` utility in uutils coreutils to a version that includes the fix for CVE-2026-35355.

The fix involves using atomic file creation with the `O_EXCL` flag to prevent the TOCTOU race condition and symlink exploitation.

Until the update is applied, avoid running the vulnerable `install` utility in untrusted or multi-user environments where local attackers could exploit the race condition.

Review and apply the patch from Pull Request #10067 or upgrade to a version of uutils coreutils released after January 17, 2026, when the fix was merged.

Useful 0 Not Useful 0

Compliance Impact

The CVE-2026-35355 vulnerability allows a local attacker to exploit a race condition to overwrite arbitrary system files by redirecting privileged writes through symbolic links. This could lead to unauthorized modification of system files, potentially compromising system integrity and security.

Such unauthorized file modifications can impact compliance with standards and regulations like GDPR and HIPAA, which require maintaining the confidentiality, integrity, and availability of sensitive data and systems. If exploited, this vulnerability could undermine these requirements by enabling privilege escalation or unauthorized changes to critical files.

However, the vulnerability is local and requires low privileges but high attack complexity, and it does not directly disclose data (no confidentiality impact). The fix implemented enforces atomic file creation to prevent exploitation, thereby helping to maintain compliance by protecting system integrity.

Useful 0 Not Useful 0