Compliance Impact

The vulnerability in the mknod utility can lead to device nodes being left with incorrect SELinux security labels, potentially allowing unauthorized access to these device nodes. This undermines mandatory access controls and system security integrity.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, the presence of mislabeled device nodes that allow unauthorized access could lead to violations of security requirements in such regulations, which mandate strict access controls and protection of sensitive data.

Therefore, this vulnerability could negatively impact compliance with security-focused regulations by weakening the enforcement of access controls on device nodes.

Useful 0 Not Useful 0

Executive Summary

The vulnerability involves the mknod utility in uutils coreutils, which does not handle security labels atomically. It creates device nodes before setting the SELinux context. If setting the security label fails, the utility tries to clean up using a method that cannot remove device nodes or FIFOs, leaving behind mislabeled nodes with incorrect default security contexts.

These mislabeled device nodes may have weaker security restrictions than intended, potentially allowing unauthorized access to device nodes that should have been protected by mandatory access controls.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized access to device nodes because mislabeled nodes may not enforce the intended SELinux security policies.

As a result, attackers or unauthorized users might gain access to sensitive device nodes, potentially compromising system security or privacy.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the creation of device nodes with incorrect SELinux security labels due to improper cleanup after a failed context application. Detection involves checking for mislabeled device nodes or FIFOs that remain on the system.

One way to detect this is to look for device nodes or FIFOs that have default or incorrect SELinux contexts, which should normally be restricted by mandatory access controls.

• Use the `ls -Z` command on directories where device nodes are created (e.g., /dev or /tmp) to inspect SELinux contexts of device nodes.
• Example command: `ls -lZ /tmp | grep -E '^[c|p]'` to list character devices and FIFOs with their SELinux labels.
• Check for device nodes that persist after failed attempts to create them with specific SELinux contexts, for example by running a test similar to the regression test described: `mknod --context=invalid_context_t /tmp/testnode c 1 3` and then verifying if `/tmp/testnode` still exists.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, update the uutils coreutils package to a version that includes the fix for CVE-2026-35361.

The fix replaces the incorrect cleanup method with one that properly removes device nodes and FIFOs if setting the SELinux context fails, preventing leftover mislabeled nodes.

Until the update is applied, manually check for and remove any device nodes or FIFOs that may have been created with incorrect SELinux contexts to avoid unauthorized access.

• Apply the patch or upgrade to the fixed version of uutils/coreutils merged on January 31, 2026.
• Regularly audit device nodes and FIFOs for correct SELinux labeling using commands like `ls -Z`.
• Avoid creating device nodes with invalid SELinux contexts until the fix is applied.

Useful 0 Not Useful 0