Improper Handling of TMPDIR Environment Variable in Uutils Coreutils
CVE-2026-35342

3.3LOW

Key Information:

Vendor: Uutils
Status: Coreutils
Vendor: CVE Published:; 22 April 2026

What is CVE-2026-35342?

The mktemp utility in Uutils Coreutils contains a flaw in its handling of the TMPDIR environment variable. Unlike its GNU counterpart, which defaults to using /tmp when TMPDIR is an empty string, the Uutils implementation incorrectly recognizes the empty string as a valid directory path. This misconfiguration results in the creation of temporary files within the current working directory (CWD). Consequently, if the permissions of the CWD are less restrictive than those of /tmp, this can expose sensitive data to unintended users. As a result, there is a significant risk of unauthorized access to temporary files, highlighting the necessity for proper configuration and secure temporary file handling.

Affected Version(s)

coreutils Linux 0 < 0.6.0

References

https://github.com/uutils/coreutils/pull/10566

patchissue-tracking

https://github.com/uutils/coreutils/releases/tag/0.6.0

vendor-advisory

CVSS V3.1

Score:

3.3

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 22, 2026
Vulnerability Reserved
Apr 2, 2026

Credit

Zellic

CVE-2026-35342 Data

JSON