How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves a Time-of-Check to Time-of-Use (TOCTOU) symlink race condition in the `install -D` command of uutils coreutils. Detection involves monitoring for suspicious symbolic link substitutions during directory creation and file installation operations.

To detect potential exploitation attempts or presence of this vulnerability on your system, you can check for unexpected symbolic links in directories involved in installation processes or monitor for race conditions by observing filesystem changes during `install -D` usage.

Suggested commands to help detect or investigate this issue include:

• Use `find` to locate symbolic links in relevant directories: `find /path/to/target -type l -ls`
• Monitor filesystem events with `inotifywait` to detect rapid changes or symlink creations during installation: `inotifywait -m -r /path/to/target`
• Audit usage of the `install` command with system auditing tools like `auditd` to log calls to `install -D` and detect suspicious activity.

Note that the vulnerability is specifically in the `install -D` command of uutils coreutils before the fix, so verifying the version of uutils coreutils installed and applying patches is critical.

Useful 0 Not Useful 0

Can you explain this vulnerability to me?

This vulnerability is a Time-of-Check to Time-of-Use (TOCTOU) flaw in the install utility of uutils coreutils when used with the -D flag. The install command first creates parent directories and then performs a second path resolution to create the target file. However, neither operation is anchored to a directory file descriptor, which means an attacker with concurrent write access can replace a path component with a symbolic link between these two operations. This allows the attacker to redirect the privileged write operation to an arbitrary location in the file system.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

The vulnerability can allow an attacker with concurrent write access to redirect privileged file creation or modification to arbitrary locations. This can lead to unauthorized modification of files, potentially compromising system integrity or security. Because the attacker can influence where files are written, they might overwrite critical system files or place malicious files in sensitive locations.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The CVE-2026-35356 vulnerability is a Time-of-Check to Time-of-Use (TOCTOU) symlink race condition in the install utility of uutils coreutils that allows an attacker with concurrent write access to redirect privileged file writes to arbitrary locations.

Such a vulnerability could potentially impact compliance with standards and regulations like GDPR and HIPAA because it allows unauthorized modification of files, which may lead to unauthorized data alteration or exposure. This undermines data integrity and security controls required by these regulations.

However, the provided information does not explicitly discuss compliance impacts or mitigation in the context of these standards.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

To mitigate the CVE-2026-35356 vulnerability, you should update the uutils coreutils package to a version that includes the fix for the install utility's -D flag.

The fix replaces vulnerable pathname-based operations with directory file descriptor-based operations (using mkdirat() and openat()), which prevents symlink race conditions.

Ensure that your system uses the patched version where the install command anchors all file and directory operations to directory file descriptors, detects and removes symlinks before directory creation, and fails immediately if the target exists as a file instead of a directory.

Useful 0 Not Useful 0