Executive Summary

This vulnerability is a Time-of-Check to Time-of-Use (TOCTOU) issue in the split utility of uutils coreutils. The program tries to prevent data loss by verifying that the input and output files are the same before starting the split operation, based on their file paths. However, after this check, it opens the output file with truncation, which can be exploited by a local attacker who has write access to the directory. The attacker can manipulate the file path, for example by swapping it with a symbolic link, during the small time window between the check and the use. This can cause the split utility to truncate and write to an unintended file, potentially including the input file or other sensitive files accessible to the process.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to permanent data loss because the split utility might truncate and overwrite unintended files. An attacker with local write access to the directory can exploit this to cause damage by redirecting the output to critical or sensitive files, including the input file itself or other files accessible by the process.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability is a local Time-Of-Check to Time-Of-Use (TOCTOU) race condition in the split utility of uutils coreutils, which can be exploited by a local attacker with write access to the directory containing the output file. Detection involves verifying whether the installed version of the split utility is vulnerable or has been patched.

To detect if your system is vulnerable, you can check the version of the uutils coreutils package and see if it includes the fix from pull request #11401. Since this is a local race condition, network detection is not applicable.

Suggested commands to help detect or mitigate the vulnerability include:

• Check the version of uutils coreutils installed: `split --version` or check package manager info.
• Review if the installed version includes the fix by comparing the version or patch level against the one that merged pull request #11401.
• Monitor file system activity for suspicious symbolic link swaps or unexpected truncations in directories where split is used.
• Use file integrity monitoring tools to detect unexpected changes to sensitive files that could result from exploitation.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in the split utility can lead to unintended data loss or corruption by allowing an attacker to cause the utility to truncate or write to files other than the intended target. This could potentially include sensitive files accessible by the process.

Such unintended data loss or corruption of sensitive files may impact compliance with data protection standards and regulations like GDPR or HIPAA, which require the protection and integrity of personal and sensitive data.

However, the provided information does not explicitly discuss compliance implications or how this vulnerability directly affects adherence to these standards.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate the CVE-2026-35374 vulnerability in the split utility of uutils coreutils, you should update to the fixed version where the race condition has been addressed. The fix involves hardening the output file open path by changing the order and method of checks and file opening to close the race window that allows malicious file swaps.

This update prevents the split utility from truncating or writing to unintended target files by ensuring the file being truncated and written to is the intended target.

Useful 0 Not Useful 0