CVE-2026-35357
Received Received - Intake
Race Condition in uutils coreutils cp Causes Information Disclosure

Publication date: 2026-04-22

Last updated on: 2026-04-24

Assigner: Canonical Ltd.

Description
The cp utility in uutils coreutils is vulnerable to an information disclosure race condition. Destination files are initially created with umask-derived permissions (e.g., 0644) before being restricted to their final mode (e.g., 0600) later in the process. A local attacker can race to open the file during this window; once obtained, the file descriptor remains valid and readable even after the permissions are tightened, exposing sensitive or private file contents.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-24
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35357
EUVD
EUVD-2026-24996
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
uutils coreutils *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the cp utility of uutils coreutils, where a race condition can lead to information disclosure. When a destination file is created, it initially has permissions derived from the system's umask (for example, 0644), which are more permissive. Later, the permissions are restricted to a more secure mode (such as 0600). However, during the time window before the permissions are tightened, a local attacker can race to open the file. Once the attacker obtains a file descriptor, it remains valid and readable even after the permissions are changed, allowing exposure of sensitive or private file contents.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive or private information. A local attacker could exploit the race condition to gain read access to files that are intended to be protected by restrictive permissions. This exposure could compromise confidentiality of data, potentially leading to information leaks or privacy violations.

Detection Guidance

This vulnerability can be detected by monitoring the system calls involved in the file copying process, specifically looking for the race condition between file creation and permission tightening.

Using system call tracing tools like strace, you can observe the sequence of calls such as openat, fchmod, and chmod during a cp operation (e.g., cp /tmp/a.txt /tmp/b.txt) to identify if the destination file is initially created with broad permissions before being restricted.

  • Run: strace -e trace=openat,fchmod,chmod cp /tmp/a.txt /tmp/b.txt

If you see the destination file being opened with umask-derived permissions before the final mode is applied, this indicates the presence of the race condition.

Compliance Impact

This vulnerability allows a local attacker to access sensitive or private file contents due to a race condition in file permission setting. Such unauthorized disclosure of sensitive information could potentially lead to non-compliance with data protection standards and regulations like GDPR and HIPAA, which require strict controls to prevent unauthorized access to personal or protected health information.

Because the vulnerability exposes files during a window where permissions are not yet fully restricted, it increases the risk of data leakage, which is a critical concern under these regulations.

Mitigation Strategies

Immediate mitigation involves avoiding the use of the vulnerable cp utility from uutils coreutils for copying sensitive files, especially in shared directories like /tmp.

As a workaround, use alternative cp implementations such as GNU cp, which mitigates this issue by creating destination files with restrictive permissions from the outset using the O_EXCL flag.

Additionally, restrict access to shared directories and avoid copying sensitive files there until a patched version of uutils coreutils is available.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35357. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart