CVE-2026-35359
TOCTOU Vulnerability in uutils cp Allows Sensitive File Exposure
Publication date: 2026-04-22
Last updated on: 2026-04-24
Assigner: Canonical Ltd.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| uutils | coreutils | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-59 | The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. |
| CWE-367 | The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Time-of-Check to Time-of-Use (TOCTOU) flaw in the cp utility of uutils coreutils. The utility first checks if a source path is a symbolic link by examining path-based metadata, but then opens the file without using the O_NOFOLLOW flag. This creates a window where an attacker with concurrent write access can replace a regular file with a symbolic link. As a result, a privileged cp process may end up copying the contents of arbitrary sensitive files to a location controlled by the attacker.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to bypass the intended no-dereference behavior of the cp utility, potentially causing a privileged process to copy sensitive files to attacker-controlled destinations. This can lead to unauthorized disclosure of sensitive information, compromising confidentiality.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This TOCTOU vulnerability in the cp utility can lead to unauthorized disclosure of sensitive data by allowing an attacker to cause a privileged process to copy contents of arbitrary sensitive files into attacker-controlled locations.
Such unauthorized data exposure could potentially violate data protection requirements in standards and regulations like GDPR and HIPAA, which mandate strict controls on access to and handling of sensitive personal or health information.
Therefore, exploitation of this vulnerability may result in non-compliance with these regulations due to failure to adequately protect sensitive data from unauthorized access or leakage.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a race condition in the cp utility where a symbolic link can be swapped in between a metadata check and file open operation. Detecting this vulnerability on your system involves verifying the version of the uutils coreutils cp command and checking if it uses the O_NOFOLLOW flag when opening source files.
You can attempt to detect exploitation attempts by monitoring for rapid changes or swaps of files and symbolic links in directories where cp commands are run with elevated privileges.
There are no specific commands provided to detect the vulnerability directly, but you can check the behavior of cp with strace or similar tools to see if it opens files without O_NOFOLLOW.
- Use strace to monitor cp system calls: strace -e openat cp /path/to/source /path/to/dest
- Check for rapid file or symlink swaps in source directories using inotifywait or auditd.
- Verify the version of uutils coreutils installed and check if it is patched against CVE-2026-35359.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should ensure that the cp utility in uutils coreutils is updated to a version that properly uses the O_NOFOLLOW flag when opening source files, preventing symlink following during the copy operation.
Until a patch is applied, avoid running cp commands with elevated privileges on directories where untrusted users have write access, as this allows exploitation of the race condition.
- Update uutils coreutils to a patched version that fixes the TOCTOU vulnerability.
- Restrict write permissions on source directories to trusted users only.
- Avoid running cp with elevated privileges on directories writable by untrusted users.
- Monitor for suspicious file or symlink swaps in source directories.