CVE-2026-5958
Symlink Race Condition in sed Allows Arbitrary File Overwrite
Publication date: 2026-04-20
Last updated on: 2026-04-20
Assigner: CERT.PL
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gnu | sed | From 4.1e (exc) to 4.10 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-367 | The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5958 is a race condition vulnerability in GNU sed when used with both the -i (in-place edit) and --follow-symlinks options. The function open_next_file() performs two separate filesystem operations on the same path: first, it resolves a symbolic link (symlink) to its target and stores this resolved path to determine where output should be written; second, it opens the original symlink path to read the file. Between these two operations, there is a race window where an attacker can replace the symlink with a different target. This causes sed to read from the attacker-controlled target but write the processed output to the originally resolved path, enabling arbitrary file overwrite with attacker-controlled content.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to overwrite arbitrary files on the filesystem with content they control, under the privileges of the sed process. This could lead to unauthorized modification of important files, potentially causing data loss, corruption, or enabling further privilege escalation or system compromise.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs when GNU sed is invoked with both the -i (in-place edit) and --follow-symlinks options. Detection involves identifying usage of sed commands with these specific options on affected versions.
To detect if your system is vulnerable, check the installed sed version and look for scripts or commands that use both -i and --follow-symlinks together.
- Check sed version: sed --version
- Search for usage of sed with -i and --follow-symlinks in scripts or command history, for example: grep -r "sed.*-i.*--follow-symlinks" /path/to/scripts
What immediate steps should I take to mitigate this vulnerability?
The vulnerability was fixed in GNU sed version 4.10. The immediate mitigation step is to upgrade sed to version 4.10 or later.
Until the upgrade can be performed, avoid using sed with both -i and --follow-symlinks options together, as this combination triggers the vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to overwrite arbitrary files with attacker-controlled content under the privileges of the sed process. This could potentially lead to unauthorized modification or corruption of sensitive data.
Such unauthorized file overwrites may impact compliance with standards and regulations like GDPR or HIPAA, which require protection of data integrity and prevention of unauthorized data modification.
However, the provided information does not explicitly discuss compliance impacts or specific regulatory consequences.