CVE-2026-35360
TOCTOU Race Condition in uutils coreutils touch Causes Data Loss
Publication date: 2026-04-22
Last updated on: 2026-04-24
Assigner: Canonical Ltd.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| uutils | coreutils | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-367 | The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the touch utility of uutils coreutils and is a Time-of-Check to Time-of-Use (TOCTOU) race condition during file creation.
When touch detects that a file path is missing, it later tries to create the file using File::create(), which uses the O_TRUNC flag internally.
An attacker can exploit the time window between the check and the use by creating a file or swapping a symlink at the target path, causing touch to truncate an existing file.
This results in permanent data loss of the truncated file.
How can this vulnerability impact me? :
This vulnerability can lead to permanent data loss by truncating existing files unexpectedly.
An attacker with the ability to manipulate file paths can exploit the race condition to replace or modify files, potentially disrupting system operations or causing loss of important data.
The CVSS score indicates a moderate severity with high impact on integrity and availability, meaning the vulnerability can affect the correctness and accessibility of data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring the behavior of the uutils touch command, especially when it operates on missing paths. One way to detect the race condition is by tracing system calls to observe the sequence of statx() followed by openat() with O_CREAT|O_TRUNC flags, which indicates the vulnerable pattern.
A practical approach is to use syscall tracing tools such as strace to observe the touch command's system calls on a test missing path. For example, running the following command can help detect the vulnerable behavior:
- strace -e trace=openat,statx touch /path/to/nonexistent/file
If the trace shows a statx() call returning ENOENT followed by an openat() call with flags including O_CREAT and O_TRUNC, this indicates the presence of the vulnerable sequence.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability in the touch utility can lead to permanent data loss by truncating existing files due to a TOCTOU race condition. Such data loss could impact the integrity and availability of data, which are critical aspects of compliance with standards like GDPR and HIPAA.
Specifically, loss of data integrity and availability may result in non-compliance with requirements to protect personal or sensitive information, potentially leading to violations of these regulations.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of the vulnerable uutils touch utility on directories or paths writable by untrusted users or attackers, especially when running with elevated privileges.
Alternatively, use the GNU coreutils touch command, which avoids this race condition by using a single openat() call without O_TRUNC and without a prior existence check, thereby eliminating the race window.
Additionally, applying any available patches or updates from the uutils coreutils project that address this issue is recommended to prevent exploitation.