CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-35341

CVE-2026-35341: Local Privilege Escalation and Permission Degradation in uutils coreutils mkfifo

Alon Barad
Alon Barad
Software Engineer

Jul 6, 2026·7 min read·1 visit

Executive Summary (TL;DR)

A logical flow-control bypass and a TOCTOU race condition in the uutils coreutils mkfifo utility allow unprivileged local attackers to degrade system file permissions and escalate privileges.

CVE-2026-35341 is a high-severity vulnerability in the mkfifo utility of uutils coreutils, involving a logic-flow bypass and a TOCTOU race condition that permits unauthorized file permission degradation and privilege escalation.

Vulnerability Overview

uutils coreutils is a cross-platform implementation of the GNU coreutils suite written in Rust. Because Rust provides strong memory safety guarantees, these tools are increasingly deployed in performance-critical, containerized, or minimal environments such as Wolfi and Chainguard images. However, memory safety does not preclude systemic logical flaws, which can still compromise security boundaries.

This analysis focuses on CVE-2026-35341, a high-severity vulnerability affecting the mkfifo utility (uu_mkfifo applet) within uutils coreutils. The issue involves a logical flow-control error combined with a Time-of-Check to Time-of-Use (TOCTOU) race condition during file permission assignment. An unprivileged local attacker can exploit these issues to alter permissions of arbitrary files on the local filesystem, leading to potential local privilege escalation (LPE).

Root Cause Analysis

The primary root cause resides within the directory-processing loop in src/uu/mkfifo/src/mkfifo.rs. When multiple file paths are provided to the utility, a loop iterates over each path, calling the create_fifo helper function. The utility expects to create a new named pipe (FIFO) at each location and subsequently apply the configured permissions.

If the specified path already exists, the operating system kernel returns an EEXIST error, which create_fifo bubbles up. The error handling mechanism of mkfifo catches this exception, logs an error message to the standard error console, but fails to stop processing for that specific iteration. Because there is no continue statement inside the Err match branch, execution drops directly into the subsequent permission-setting logic.

The application then calls fs::set_permissions(path, mode) on the user-supplied target. Since the target file already exists and the caller may own it (or have administrative permissions), the system applies the newly requested permissions—or fallback default permissions—directly to the existing file. This allows standard system files or user-owned configuration documents to be silently modified to a degraded security state.

The TOCTOU Symlink Race

Beyond the simple control flow issue, the implementation of mkfifo is subject to a classic Time-of-Check to Time-of-Use (TOCTOU) vulnerability. This race condition arises from the split-second delay between the verification/creation stage and the modification stage. These operations are performed non-atomically via distinct system calls.

First, the program invokes create_fifo(path) to verify and create the FIFO. Once completed, the program resolves the path a second time to execute the set_permissions routine. Because this secondary modification operates on a path string rather than an active file descriptor, an attacker with write access to the parent directory can swap the newly created FIFO with a symbolic link before the permission phase occurs.

Since standard Rust file-system APIs (such as std::fs::set_permissions) resolve symbolic links by default, the kernel traverses the attacker's symlink. This redirects the permission modification to a target file outside the immediate directory, such as a critical system file. The lack of lchmod or descriptor-locked controls makes this sequence highly exploitable in shared environments.

Code Analysis: Vulnerable vs. Patched

The vulnerable code structure in src/uu/mkfifo/src/mkfifo.rs fails to interrupt the program flow upon encountering a creation failure. The block below represents the logical flaw prior to the introduction of the patch:

// Vulnerable Implementation
for path in &paths {
    match create_fifo(path) {
        Ok(_) => {
            // FIFO created successfully
        }
        Err(e) => {
            // Log the EEXIST or other error to stderr
            show_error!("{}", e);
            // Missing control flow redirect (continue) allows execution to proceed
        }
    }
 
    // Execution falls through and alters target permissions
    if let Some(mode) = specified_mode {
        fs::set_permissions(path, mode);
    } else {
        fs::set_permissions(path, default_mode);
    }
}

The patch introduced in Pull Request #10376 inserts the missing control loop redirection, ensuring that if create_fifo returns an error, the iteration terminates immediately. The following block displays the corrected code:

// Patched Implementation
for path in &paths {
    if let Err(e) = create_fifo(path) {
        // Log the error to stderr as before
        show_error!("{}", e);
        // Patch: Terminate current iteration, bypassing permission-setting
        continue;
    }
 
    // This section is now unreachable if creation failed
    if let Some(mode) = specified_mode {
        fs::set_permissions(path, mode);
    }
}

While the introduction of the continue statement resolves the logical fall-through for existing paths, it is critical to note that the TOCTOU symlink race condition persists if a user executes mkfifo on non-existing paths inside a shared directory. A robust resolution requires utilizing file-descriptor-based routines (such as fchmod) or configuring open-flags like O_NOFOLLOW on systems that support it to prevent the utility from traversing newly planted symbolic links.

Exploitation & Attack Methodology

Exploitation of the logical fall-through does not require complex scripting. In a typical scenario, a system administrator or an automated script runs mkfifo on a list of files that include sensitive files like private keys. For instance, if an administrator executes mkfifo -m 0644 /home/user/.ssh/id_rsa, the utility prints an error but modifies the SSH key permissions from 0600 to 0644, exposing the private key to all local users.

To exploit the TOCTOU symlink race, an attacker requires local shell access and the ability to write to a directory where a privileged user runs mkfifo. A script can continuously monitor the directory, waiting for the target FIFO path to be initialized, and immediately swap it for a symlink pointing to /etc/shadow.

The timing window is highly reachable on standard Linux multi-core environments. If the attacker wins the race, the privileged process changes the permissions of /etc/shadow to world-writable (e.g., 0666), enabling the unprivileged attacker to modify system credentials and obtain root privileges.

Impact Assessment

The security impact of CVE-2026-35341 is classified as high. The primary consequences are unauthorized modification of system-wide file permissions and local privilege escalation. Because core utilities are foundational elements of Unix-like operating systems, any vulnerability in these binaries can undermine the security posture of the entire platform.

The CVSS 3.1 base score of 7.1 highlights the severity of this weakness. The Confidentiality and Integrity metrics are both rated as High because an attacker can read sensitive files by lowering permissions and write to critical files like /etc/shadow to alter system-level configurations.

In cloud-native or containerized environments, degrading permissions on critical configuration files or secrets mounted into shared volumes can lead to container escape or database credential theft. The vulnerability's presence in standard base images increases the overall threat surface across development pipelines.

Remediation & Defence-in-Depth

Remediating this vulnerability requires immediate updates to uutils coreutils. Users should verify that their systems run a version containing the changes introduced in Pull Request #10376. This update prevents the logical fall-through by skipping the permission-setting phase on creation failures.

For systems where immediate updates are not possible, administrators should implement strict operational controls. Avoid running mkfifo as root or inside world-writable directories such as /tmp. Instead, utilize secure subdirectories with permissions restricted to the executing user (e.g., 0700).

Furthermore, deploying kernel-level protections can mitigate symlink exploitation. In Linux environments, setting the sysctl option fs.protected_symlinks to 1 prevents users from following symlinks in world-writable sticky directories if the symlink's owner does not match the accessor, effectively blocking the TOCTOU attack vector.

Technical Appendix

CVSS Score
7.1/ 10
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Probability
0.17%
Top 94% most exploited

Affected Systems

uutils coreutilsWolfi developer imagesChainguard developer imagesDebian Linux (experimental uutils-coreutils package)Ubuntu Linux (experimental uutils-coreutils package)

Affected Versions Detail

Product
Affected Versions
Fixed Version
coreutils
uutils
< commit pull/10376PR #10376 merged version
AttributeDetail
CWE IDCWE-732
Attack VectorLocal (AV:L)
CVSS v3.1 Score7.1
EPSS Score0.00165
Exploit StatusProof of Concept (PoC) Available
CISA KEV StatusNot Listed

MITRE ATT&CK Mapping

T1222.002Linux and Mac File and Directory Permissions Modification
Defense Evasion
CWE-732
Incorrect Permission Assignment for Critical Resource

The software specifies permissions for a security-critical resource in a way that allows that resource to be accessed by unintended actors.

Vulnerability Timeline

Vulnerability reported and issue #10020 opened on GitHub
2026-01-03
Pull Request #10376 submitted to resolve the control flow permission bypass
2026-01-18
CVE-2026-35341 officially assigned and published in the NVD
2026-04-22
Last official modification and assessment updates recorded in the NVD
2026-06-17

References & Sources

  • [1]uutils coreutils Issue #10020: mkfifo TOCTOU and logic flow permissions bypass
  • [2]uutils coreutils Pull Request #10376: mkfifo fix permissions update on creation failure
  • [3]Official CVE-2026-35341 Record on CVE.org
  • [4]Wiz Vulnerability Database Overview for CVE-2026-35341

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•27 minutes ago•GHSA-CGFV-JRFP-2R7V
8.5

GHSA-cgfv-jrfp-2r7v: Authenticated SQL Injection in OpenRemote Datapoint Crosstab Export

An authenticated SQL injection vulnerability exists in the datapoint crosstab export functionality of OpenRemote. The vulnerability is caused by insecure manual SQL string construction that concatenates user-controlled display data, specifically asset display names and attribute names, directly into raw SQL statements. These statements are processed by the PostgreSQL database engine using the crosstab function to structure dynamic CSV outputs.

Amit Schendel
Amit Schendel
0 views•5 min read
•about 1 hour ago•GHSA-QRWJ-VH9X-GW5V
8.0

GHSA-QRWJ-VH9X-GW5V: Cross-Agent Server-Side Request Forgery and Remote Code Execution in Coder Workspace Agent

An insecure redirect vulnerability in Coder allows an authenticated attacker who controls a workspace agent to perform unauthorized cross-agent file operations and achieve remote code execution in other workspaces. By exploiting default redirect-following behavior in the control-plane's HTTP client, a malicious agent can redirect legitimate requests to a victim's deterministic tailnet IP address.

Amit Schendel
Amit Schendel
0 views•5 min read
•about 2 hours ago•CVE-2026-35361
3.4

CVE-2026-35361: Security Permission Bypass via Improper File Cleanup in uutils coreutils mknod

A security permission bypass vulnerability exists in the mknod utility of uutils coreutils on Linux systems utilizing SELinux. The utility fails to atomically assign SELinux security contexts during special file creation. When assignment fails, the program attempts cleanup using an incorrect file system API, which fails silently. This leaves mislabeled, orphaned special files on disk with potentially weaker default inherited permissions.

Amit Schendel
Amit Schendel
1 views•9 min read
•about 2 hours ago•CVE-2026-35381
3.3

CVE-2026-35381: Logic Error and Parameter Mismatch in uutils coreutils cut Utility

A logic error in the cut utility of uutils coreutils prior to version 0.8.0 causes the utility to ignore the -s (suppress non-delimited records) flag when invoked with the zero-terminated (-z) and empty delimiter (-d '') flags in combination. This results in unintended preservation of undelimited input streams, which breaks the functional parity with GNU coreutils and leads to potential data integrity issues in automated data processing pipelines.

Alon Barad
Alon Barad
5 views•7 min read
•about 3 hours ago•CVE-2026-55792
6.0

CVE-2026-55792: Sensitive File Disclosure in Craft CMS via Twig Sandbox Bypass

CVE-2026-55792 represents a sensitive file disclosure vulnerability in Craft CMS. The issue arises from the inclusion of the `dataUrl()` function in the Twig sandbox allowlist combined with incomplete path validation inside the underlying helper method. Attackers with low-privileged control panel access can exploit this flaw to read and exfiltrate the `.env` configuration file.

Amit Schendel
Amit Schendel
5 views•6 min read
•about 4 hours ago•CVE-2026-35366
4.4

CVE-2026-35366: Security Inspection Bypass in uutils coreutils printenv via non-UTF-8 Environment Variables

A security inspection bypass vulnerability exists in the printenv utility of uutils coreutils (a Rust-based implementation of GNU coreutils) prior to version 0.6.0. Due to a semantic mismatch between POSIX environment variable specifications and Rust's strict UTF-8 validation rules, environment variables containing invalid UTF-8 byte sequences are silently omitted from printenv outputs. This allows local attackers to load and execute adversarial environment variables while remaining undetected by system administrators and automated security auditing tools.

Alon Barad
Alon Barad
5 views•6 min read