CVE-2026-35359
Received Received - Intake
TOCTOU Vulnerability in uutils cp Allows Sensitive File Exposure

Publication date: 2026-04-22

Last updated on: 2026-04-24

Assigner: Canonical Ltd.

Description
A Time-of-Check to Time-of-Use (TOCTOU) vulnerability in the cp utility of uutils coreutils allows an attacker to bypass no-dereference intent. The utility checks if a source path is a symbolic link using path-based metadata but subsequently opens it without the O_NOFOLLOW flag. An attacker with concurrent write access can swap a regular file for a symbolic link during this window, causing a privileged cp process to copy the contents of arbitrary sensitive files into a destination controlled by the attacker.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-24
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-14
NVD
CVE-2026-35359
EUVD
EUVD-2026-25000
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
uutils coreutils *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This TOCTOU vulnerability in the cp utility can lead to unauthorized disclosure of sensitive data by allowing an attacker to cause a privileged process to copy contents of arbitrary sensitive files into attacker-controlled locations.

Such unauthorized data exposure could potentially violate data protection requirements in standards and regulations like GDPR and HIPAA, which mandate strict controls on access to and handling of sensitive personal or health information.

Therefore, exploitation of this vulnerability may result in non-compliance with these regulations due to failure to adequately protect sensitive data from unauthorized access or leakage.

Detection Guidance

This vulnerability involves a race condition in the cp utility where a symbolic link can be swapped in between a metadata check and file open operation. Detecting this vulnerability on your system involves verifying the version of the uutils coreutils cp command and checking if it uses the O_NOFOLLOW flag when opening source files.

You can attempt to detect exploitation attempts by monitoring for rapid changes or swaps of files and symbolic links in directories where cp commands are run with elevated privileges.

There are no specific commands provided to detect the vulnerability directly, but you can check the behavior of cp with strace or similar tools to see if it opens files without O_NOFOLLOW.

  • Use strace to monitor cp system calls: strace -e openat cp /path/to/source /path/to/dest
  • Check for rapid file or symlink swaps in source directories using inotifywait or auditd.
  • Verify the version of uutils coreutils installed and check if it is patched against CVE-2026-35359.
Mitigation Strategies

To mitigate this vulnerability, you should ensure that the cp utility in uutils coreutils is updated to a version that properly uses the O_NOFOLLOW flag when opening source files, preventing symlink following during the copy operation.

Until a patch is applied, avoid running cp commands with elevated privileges on directories where untrusted users have write access, as this allows exploitation of the race condition.

  • Update uutils coreutils to a patched version that fixes the TOCTOU vulnerability.
  • Restrict write permissions on source directories to trusted users only.
  • Avoid running cp with elevated privileges on directories writable by untrusted users.
  • Monitor for suspicious file or symlink swaps in source directories.
Executive Summary

This vulnerability is a Time-of-Check to Time-of-Use (TOCTOU) flaw in the cp utility of uutils coreutils. The utility first checks if a source path is a symbolic link by examining path-based metadata, but then opens the file without using the O_NOFOLLOW flag. This creates a window where an attacker with concurrent write access can replace a regular file with a symbolic link. As a result, a privileged cp process may end up copying the contents of arbitrary sensitive files to a location controlled by the attacker.

Impact Analysis

The vulnerability can allow an attacker to bypass the intended no-dereference behavior of the cp utility, potentially causing a privileged process to copy sensitive files to attacker-controlled destinations. This can lead to unauthorized disclosure of sensitive information, compromising confidentiality.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35359. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart