Race Condition in mkfifo Utility of uutils Coreutils
CVE-2026-35352

7HIGH

Key Information:

Vendor: Uutils
Status: Coreutils
Vendor: CVE Published:; 22 April 2026

What is CVE-2026-35352?

A race condition in the mkfifo utility of uutils coreutils allows a local attacker to exploit the difference between the time a FIFO is created and when permissions are applied. An attacker with write access to the parent directory can replace the newly created FIFO with a symbolic link before the chmod operation executes. This manipulation can redirect the chmod call to an arbitrary file, which can lead to privilege escalation when the mkfifo utility is executed with elevated privileges.

References

https://github.com/uutils/coreutils/issues/10020

issue-tracking

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 22, 2026
Vulnerability Reserved
Apr 2, 2026

Credit

Zellic

CVE-2026-35352 Data

JSON

Uutils

What is CVE-2026-35352?

References

CVSS V3.1

Timeline

Credit