CVE-2026-35357
Race Condition in uutils coreutils cp Causes Information Disclosure
Publication date: 2026-04-22
Last updated on: 2026-04-24
Assigner: Canonical Ltd.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| uutils | coreutils | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-367 | The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows a local attacker to access sensitive or private file contents due to a race condition in file permission setting. Such unauthorized disclosure of sensitive information could potentially lead to non-compliance with data protection standards and regulations like GDPR and HIPAA, which require strict controls to prevent unauthorized access to personal or protected health information.
Because the vulnerability exposes files during a window where permissions are not yet fully restricted, it increases the risk of data leakage, which is a critical concern under these regulations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring the system calls involved in the file copying process, specifically looking for the race condition between file creation and permission tightening.
Using system call tracing tools like strace, you can observe the sequence of calls such as openat, fchmod, and chmod during a cp operation (e.g., cp /tmp/a.txt /tmp/b.txt) to identify if the destination file is initially created with broad permissions before being restricted.
- Run: strace -e trace=openat,fchmod,chmod cp /tmp/a.txt /tmp/b.txt
If you see the destination file being opened with umask-derived permissions before the final mode is applied, this indicates the presence of the race condition.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves avoiding the use of the vulnerable cp utility from uutils coreutils for copying sensitive files, especially in shared directories like /tmp.
As a workaround, use alternative cp implementations such as GNU cp, which mitigates this issue by creating destination files with restrictive permissions from the outset using the O_EXCL flag.
Additionally, restrict access to shared directories and avoid copying sensitive files there until a patched version of uutils coreutils is available.
Can you explain this vulnerability to me?
The vulnerability exists in the cp utility of uutils coreutils, where a race condition can lead to information disclosure. When a destination file is created, it initially has permissions derived from the system's umask (for example, 0644), which are more permissive. Later, the permissions are restricted to a more secure mode (such as 0600). However, during the time window before the permissions are tightened, a local attacker can race to open the file. Once the attacker obtains a file descriptor, it remains valid and readable even after the permissions are changed, allowing exposure of sensitive or private file contents.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive or private information. A local attacker could exploit the race condition to gain read access to files that are intended to be protected by restrictive permissions. This exposure could compromise confidentiality of data, potentially leading to information leaks or privacy violations.