Jul 6, 2026·9 min read·1 visit
The mknod utility in uutils coreutils fails to clean up orphaned special files when SELinux labeling fails because it incorrectly attempts to delete them using rmdir instead of unlink. This leaves mislabeled device nodes or FIFOs on disk under default permissions, bypassing mandatory access controls.
A security permission bypass vulnerability exists in the mknod utility of uutils coreutils on Linux systems utilizing SELinux. The utility fails to atomically assign SELinux security contexts during special file creation. When assignment fails, the program attempts cleanup using an incorrect file system API, which fails silently. This leaves mislabeled, orphaned special files on disk with potentially weaker default inherited permissions.
The mknod utility within uutils coreutils contains a security permission bypass vulnerability when run on Linux systems utilizing Security-Enhanced Linux (SELinux) policies. The uutils coreutils project is a cross-platform rewrite of the GNU coreutils suite implemented in the Rust programming language. This utility is responsible for creating special files, such as block device nodes, character device nodes, and FIFO named pipes, on the filesystem. The vulnerability exists within the logic that manages security context assignment and error recovery during the file creation sequence.
When creating a special file with a specified SELinux context, the utility attempts to create the file first and then apply the security context. If the security context assignment fails, the program attempts to clean up the file system state by removing the newly created node. However, due to an incorrect file system API call, this cleanup fails silently. The resulting behavior leaves an orphaned, mislabeled special file on the filesystem with the default inherited context rather than the intended restrictive security label.
This vulnerability is tracked as CVE-2026-35361. It possesses a CVSS v3.1 base score of 3.4, reflecting a low-severity local exposure. Although the vulnerability requires elevated privileges (such as root or CAP_MKNOD) to execute, it compromises the integrity of Mandatory Access Control (MAC) policies in high-security environments. By leaving behind mislabeled device nodes, the flaw exposes systems to potential unauthorized access or privilege escalation vectors.
The root cause of CVE-2026-35361 lies in the non-atomic sequence of file creation and permission assignment, coupled with a flaw in the error-handling cleanup routine. In a standard GNU coreutils implementation, SELinux security contexts are applied atomically. The utility calls setfscreatecon() to define the target security context for the current process thread prior to invoking the mknod() system call. This ensures that the kernel creates the file with the correct security label in a single, atomic operation, eliminating any transitional states.
In contrast, the vulnerable version of uutils coreutils implements a two-step creation and labeling process. The utility first invokes the standard filesystem creation call to generate the device node or FIFO on disk. At this moment, the newly created node inherits the default security context of its parent directory. In the second step, the utility attempts to post-apply the requested SELinux security context using the set_selinux_security_context helper function. This design introduces a temporal window where the node exists with potentially weaker default permissions.
If the second step fails, such as when an administrator provides an invalid or unauthorized SELinux context via the --context argument, the utility enters its cleanup branch. To roll back the partial transaction, the utility attempts to delete the newly created file from disk. However, the implementation calls the std::fs::remove_dir function instead of std::fs::remove_file or std::fs::remove_file's equivalent Unix unlink mechanism. The std::fs::remove_dir API maps directly to the rmdir system call under Unix environments. Because device nodes and FIFOs are not directory structures, the kernel rejects the rmdir system call and returns an ENOTDIR error.
To compound this error, the implementation discards the return value of the remove_dir call using a wildcard pattern binding (let _ =). The utility fails to check for success, causing the application to proceed as if the deletion had succeeded. The process prints an error message regarding the labeling failure and exits with a non-zero status, but leaves the improperly labeled file intact on the filesystem.
The vulnerability resides in the mknod function within src/uu/mknod/src/mknod.rs. The code below illustrates the vulnerable implementation before the patch was applied. The cleanup routine attempts to handle a labeling failure by calling std::fs::remove_dir on a file path that does not represent a directory.
// Vulnerable Code Path in src/uu/mknod/src/mknod.rs
fn mknod(file_name: &str, config: Config) -> i32 {
// ... (creation of the file via mknod system call)
if let Some(ref context) = config.context {
if let Err(e) = set_selinux_security_context(
file_name,
config.context,
) {
// BUG: std::fs::remove_dir is used on a special file (non-directory)
// This call returns ENOTDIR, which is silently ignored
let _ = std::fs::remove_dir(file_name);
eprintln!("{}: {}", uucore::util_name(), e);
return 1;
}
}
0
}The patch resolved this issue by replacing the incorrect directory deletion call with std::fs::remove_file, which utilizes the unlink system call. This system call successfully deletes special files, block files, character files, and FIFOs. The diff below represents the exact modification implemented in the fix commit 42b2ad83cdcf6e959ecb378c5040c60d9c64becf.
// Patched Code Path in src/uu/mknod/src/mknod.rs
fn mknod(file_name: &str, config: Config) -> i32 {
// ... (creation of the file via mknod system call)
if let Some(ref context) = config.context {
if let Err(e) = set_selinux_security_context(
file_name,
config.context,
) {
// FIX: Correctly call remove_file to delete the orphaned node
let _ = std::fs::remove_file(file_name);
eprintln!("{}: {}", uucore::util_name(), e);
return 1;
}
}
0
}While this patch corrects the cleanup failure, it does not address the underlying non-atomic nature of the file creation. The sequence of creating a file under default directory permissions and then applying the SELinux label remains. This design preserves a brief race window during which a concurrent local process can interact with the node. A complete, robust fix requires migrating to the GNU coreutils model where setfscreatecon() is established prior to any filesystem instantiation system calls.
Exploitation of CVE-2026-35361 depends on the presence of SELinux and local execution capabilities. There are three primary technical scenarios in which this vulnerability can be exploited or trigger a security policy bypass.
First, a local attacker can exploit a Time-of-Check to Time-of-Use (TOCTOU) race condition. Since the utility creates the node first and applies the context afterward, the file temporarily exists with the parent directory's default inherited context. If the parent directory allows write or read access to a wider group than the target SELinux context permits, an attacker running a fast, continuous loop can open a file descriptor to the node in that short window. Once the file descriptor is acquired, the attacker retains access even after a context is successfully applied or the file is deleted.
Second, an attacker can leverage process interruption vectors. If the mknod process is forcefully terminated after the file creation call but before the context configuration or cleanup logic runs, the node remains on disk with default labeling. This can be achieved by a local attacker inducing an Out-of-Memory (OOM) state, sending a SIGKILL signal, or causing a system crash, provided they have the capability to influence the runtime environment of the creating process.
Third, an invalid context injection scenario occurs during automated administrative tasks. If an automation script or administrator executes mknod with an invalid security label (e.g., --context=invalid_context_t), the labeling call fails. Due to the cleanup bug, the command terminates with an error but leaves the newly created device node or FIFO on disk. Because the context was never applied, the file remains governed by the weaker inherited default permissions, allowing unauthorized local users to read or write to a sensitive device boundary.
The impact of CVE-2026-35361 is characterized by a localized breakdown of Mandatory Access Control (MAC) enforcement. SELinux relies on strict, explicit security contexts to isolate services and prevent privilege escalation. When the mknod utility fails to clean up after a labeling error, it creates a discrepancy between the system's defined security policy and the actual state of the filesystem.
If the orphaned file is a character or block device node, local unprivileged users may gain direct access to hardware interfaces, kernel drivers, or storage volumes that should be restricted. For example, if a node pointing to a disk partition is left with a generic directory context, a compromised service might read raw disk blocks, bypassing filesystem-level permissions. If the orphaned file is a FIFO named pipe, an attacker could write malicious input to or intercept data from an IPC channel intended for highly privileged system processes.
This vulnerability is assigned a CVSS v3.1 base score of 3.4. The low severity score is a consequence of the high privileges required to execute the mknod command initially. However, in environments utilizing container runtimes, automated provisioning tools, or system deployment scripts, mknod is frequently executed with root capabilities. The vulnerability has an EPSS score of 0.00142, indicating a very low probability of active exploitation in the wild, and it is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
The primary remediation strategy is to upgrade uutils coreutils to version 0.6.0 or later. This release updates the cleanup sequence to use std::fs::remove_file, ensuring that any orphaned nodes resulting from failed context assignments are successfully unlinked and removed from the filesystem.
In environments where immediate upgrading is not feasible, administrators should enforce strict verification procedures for automated scripts. Any invocation of mknod utilizing the --context or -Z flags should be followed by an explicit validation step to verify that the file does not exist if the command returned a non-zero exit code. Alternatively, administrators can wrapper the command with manual cleanup steps that remove the file using the standard host shell's rm utility upon execution failure.
To detect potential exploitation attempts or lingering mislabeled nodes, security teams should configure Auditd rules to monitor for abnormal directory deletion attempts on special files. Specifically, tracking the rmdir system call when it fails with the ENOTDIR error can highlight instances where the vulnerable utility attempted cleanup and failed. Additionally, standard filesystem scanners can be run periodically to cross-reference existing device nodes and FIFOs against expected SELinux security context definitions.
# Auditd rule to capture abnormal rmdir failures on device files
auditctl -a always,exit -F arch=b64 -S rmdir -F exit=-ENOTDIR -k abnormal_rmdir
# Auditd rule to monitor special file creation events
auditctl -a always,exit -F arch=b64 -S mknod,mknodat -k device_creation# Verification test sequence to check for vulnerabilities in the environment
uutils-mknod --context=invalid_context_t /tmp/test_fifo p
if [ -e /tmp/test_fifo ]; then
echo "VULNERABLE: Mislabeled node remained on disk"
rm /tmp/test_fifo
else
echo "SECURE: Orphaned node was successfully deleted"
fiCVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N| Product | Affected Versions | Fixed Version |
|---|---|---|
uutils coreutils uutils | < 0.6.0 | 0.6.0 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-281, CWE-459 |
| Attack Vector | Local |
| CVSS Score | 3.4 |
| EPSS Score | 0.00142 (0.142%) |
| Exploit Status | Proof of Concept |
| KEV Status | Not Listed |
The utility fails to ensure that newly created nodes preserve the mandatory security labels restriction when configuration errors occur.
An authenticated SQL injection vulnerability exists in the datapoint crosstab export functionality of OpenRemote. The vulnerability is caused by insecure manual SQL string construction that concatenates user-controlled display data, specifically asset display names and attribute names, directly into raw SQL statements. These statements are processed by the PostgreSQL database engine using the crosstab function to structure dynamic CSV outputs.
An insecure redirect vulnerability in Coder allows an authenticated attacker who controls a workspace agent to perform unauthorized cross-agent file operations and achieve remote code execution in other workspaces. By exploiting default redirect-following behavior in the control-plane's HTTP client, a malicious agent can redirect legitimate requests to a victim's deterministic tailnet IP address.
CVE-2026-35341 is a high-severity vulnerability in the mkfifo utility of uutils coreutils, involving a logic-flow bypass and a TOCTOU race condition that permits unauthorized file permission degradation and privilege escalation.
A logic error in the cut utility of uutils coreutils prior to version 0.8.0 causes the utility to ignore the -s (suppress non-delimited records) flag when invoked with the zero-terminated (-z) and empty delimiter (-d '') flags in combination. This results in unintended preservation of undelimited input streams, which breaks the functional parity with GNU coreutils and leads to potential data integrity issues in automated data processing pipelines.
CVE-2026-55792 represents a sensitive file disclosure vulnerability in Craft CMS. The issue arises from the inclusion of the `dataUrl()` function in the Twig sandbox allowlist combined with incomplete path validation inside the underlying helper method. Attackers with low-privileged control panel access can exploit this flaw to read and exfiltrate the `.env` configuration file.
A security inspection bypass vulnerability exists in the printenv utility of uutils coreutils (a Rust-based implementation of GNU coreutils) prior to version 0.6.0. Due to a semantic mismatch between POSIX environment variable specifications and Rust's strict UTF-8 validation rules, environment variables containing invalid UTF-8 byte sequences are silently omitted from printenv outputs. This allows local attackers to load and execute adversarial environment variables while remaining undetected by system administrators and automated security auditing tools.