CVE-2026-35360
Received Received - Intake
TOCTOU Race Condition in uutils coreutils touch Causes Data Loss

Publication date: 2026-04-22

Last updated on: 2026-04-24

Assigner: Canonical Ltd.

Description
The touch utility in uutils coreutils is vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition during file creation. When the utility identifies a missing path, it later attempts creation using File::create(), which internally uses O_TRUNC. An attacker can exploit this window to create a file or swap a symlink at the target path, causing touch to truncate an existing file and leading to permanent data loss.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-24
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-14
NVD
CVE-2026-35360
EUVD
EUVD-2026-25002
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
uutils coreutils *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability in the touch utility can lead to permanent data loss by truncating existing files due to a TOCTOU race condition. Such data loss could impact the integrity and availability of data, which are critical aspects of compliance with standards like GDPR and HIPAA.

Specifically, loss of data integrity and availability may result in non-compliance with requirements to protect personal or sensitive information, potentially leading to violations of these regulations.

Executive Summary

The vulnerability exists in the touch utility of uutils coreutils and is a Time-of-Check to Time-of-Use (TOCTOU) race condition during file creation.

When touch detects that a file path is missing, it later tries to create the file using File::create(), which uses the O_TRUNC flag internally.

An attacker can exploit the time window between the check and the use by creating a file or swapping a symlink at the target path, causing touch to truncate an existing file.

This results in permanent data loss of the truncated file.

Impact Analysis

This vulnerability can lead to permanent data loss by truncating existing files unexpectedly.

An attacker with the ability to manipulate file paths can exploit the race condition to replace or modify files, potentially disrupting system operations or causing loss of important data.

The CVSS score indicates a moderate severity with high impact on integrity and availability, meaning the vulnerability can affect the correctness and accessibility of data.

Detection Guidance

This vulnerability can be detected by monitoring the behavior of the uutils touch command, especially when it operates on missing paths. One way to detect the race condition is by tracing system calls to observe the sequence of statx() followed by openat() with O_CREAT|O_TRUNC flags, which indicates the vulnerable pattern.

A practical approach is to use syscall tracing tools such as strace to observe the touch command's system calls on a test missing path. For example, running the following command can help detect the vulnerable behavior:

  • strace -e trace=openat,statx touch /path/to/nonexistent/file

If the trace shows a statx() call returning ENOENT followed by an openat() call with flags including O_CREAT and O_TRUNC, this indicates the presence of the vulnerable sequence.

Mitigation Strategies

Immediate mitigation steps include avoiding the use of the vulnerable uutils touch utility on directories or paths writable by untrusted users or attackers, especially when running with elevated privileges.

Alternatively, use the GNU coreutils touch command, which avoids this race condition by using a single openat() call without O_TRUNC and without a prior existence check, thereby eliminating the race window.

Additionally, applying any available patches or updates from the uutils coreutils project that address this issue is recommended to prevent exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35360. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart