Mitigation Strategies

To mitigate the CVE-2026-35364 vulnerability, avoid performing cross-device move operations using the vulnerable uutils/coreutils mv utility until a patch is applied.

Restrict write access to destination directories to trusted users only, as local attackers with write permissions can exploit the race condition.

Monitor for updates or patches from the uutils/coreutils project and apply them promptly once available to fix the TOCTOU race condition.

As a temporary workaround, consider using alternative move commands or utilities that do not exhibit this race condition for cross-device moves.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow a local attacker with write access to the destination directory to overwrite arbitrary files by redirecting the move operation through a symbolic link. This can lead to unauthorized modification of files, potentially causing data corruption, privilege escalation, or disruption of system operations.

Useful 0 Not Useful 0

Executive Summary

This vulnerability is a Time-of-Check to Time-of-Use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device operations. Specifically, the utility removes the destination path before recreating it by copying. A local attacker who has write access to the destination directory can exploit the time window between removal and recreation by replacing the destination with a symbolic link. When the privileged move operation follows this symlink, it can overwrite an arbitrary target file with the contents from the source.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows a local attacker with write access to a destination directory to overwrite arbitrary target files, including sensitive files, by exploiting a race condition in the mv utility. Such unauthorized modification of sensitive files can lead to data integrity violations and potential exposure or alteration of protected information.

As a result, this vulnerability could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require the protection of sensitive data against unauthorized access and modification. The ability to overwrite sensitive files may lead to breaches of confidentiality and integrity requirements mandated by these regulations.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to reproduce the race condition exploit involving cross-device moves with the vulnerable mv utility from uutils coreutils.

A practical detection method involves setting up two directories on different file systems (e.g., /tmp and /home), creating a source file with known payload content, and a sensitive target file with restricted permissions.

Then, run a user-level script that continuously creates a symbolic link from the target path to the sensitive file, while simultaneously running a root-level script that continuously moves the source file to the target path using the vulnerable mv command.

• Create source file: `echo PAYLOAD_FROM_SRC > /tmp/src_file`
• Create sensitive target file with restricted permissions: `sudo touch /home/$USER/secure/victim && sudo chmod 600 /home/$USER/secure/victim`
• Run user-level symlink creation script (symlink.sh) that repeatedly creates a symlink: `while true; do ln -sf /home/$USER/secure/victim /home/$USER/target; done`
• Run root-level move script (mv.sh) that repeatedly moves the source file: `while true; do mv /tmp/src_file /home/$USER/target; done`

If the contents of the sensitive file are overwritten with the payload from the source file, the vulnerability is present.

Useful 0 Not Useful 0