CVE-2026-5958
Deferred Deferred - Pending Action
Symlink Race Condition in sed Allows Arbitrary File Overwrite

Publication date: 2026-04-20

Last updated on: 2026-05-19

Assigner: CERT.PL

Description
When sed is invoked with both -i (in-place edit) and --follow-symlinks, the function open_next_file() performs two separate, non-atomic filesystem operations on the same path: 1. resolves symlink to its target and storesΒ the resolved path for determining when output is written, 2. opens the original symlink pathΒ (not the resolved one) to read the file. Between these two calls there is a race window. If an attacker atomically replaces the symlink with a different target during that window, sed will: read content from the new (attacker-chosen) symlink target and write the processed result to the path recorded in step 1.Β This can lead to arbitrary file overwrite with attacker-controlled content in the context of the sed process. This issue was fixed in version 4.10.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-20
Last Modified
2026-05-19
Generated
2026-06-16
AI Q&A
2026-04-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5958
EUVD
EUVD-2026-23834
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gnu sed From 4.1e (exc) to 4.10 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-5958 is a race condition vulnerability in GNU sed when used with both the -i (in-place edit) and --follow-symlinks options. The function open_next_file() performs two separate filesystem operations on the same path: first, it resolves a symbolic link (symlink) to its target and stores this resolved path to determine where output should be written; second, it opens the original symlink path to read the file. Between these two operations, there is a race window where an attacker can replace the symlink with a different target. This causes sed to read from the attacker-controlled target but write the processed output to the originally resolved path, enabling arbitrary file overwrite with attacker-controlled content.

Impact Analysis

This vulnerability can allow an attacker to overwrite arbitrary files on the filesystem with content they control, under the privileges of the sed process. This could lead to unauthorized modification of important files, potentially causing data loss, corruption, or enabling further privilege escalation or system compromise.

Detection Guidance

This vulnerability occurs when GNU sed is invoked with both the -i (in-place edit) and --follow-symlinks options. Detection involves identifying usage of sed commands with these specific options on affected versions.

To detect if your system is vulnerable, check the installed sed version and look for scripts or commands that use both -i and --follow-symlinks together.

  • Check sed version: sed --version
  • Search for usage of sed with -i and --follow-symlinks in scripts or command history, for example: grep -r "sed.*-i.*--follow-symlinks" /path/to/scripts
Mitigation Strategies

The vulnerability was fixed in GNU sed version 4.10. The immediate mitigation step is to upgrade sed to version 4.10 or later.

Until the upgrade can be performed, avoid using sed with both -i and --follow-symlinks options together, as this combination triggers the vulnerability.

Compliance Impact

The vulnerability allows an attacker to overwrite arbitrary files with attacker-controlled content under the privileges of the sed process. This could potentially lead to unauthorized modification or corruption of sensitive data.

Such unauthorized file overwrites may impact compliance with standards and regulations like GDPR or HIPAA, which require protection of data integrity and prevention of unauthorized data modification.

However, the provided information does not explicitly discuss compliance impacts or specific regulatory consequences.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5958. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart