Time-of-Check to Time-of-Use Flaw in uutils Coreutils mv Utility
CVE-2026-35354

4.7MEDIUM

Key Information:

Vendor: Uutils
Status: Coreutils
Vendor: CVE Published:; 22 April 2026

What is CVE-2026-35354?

A vulnerability exists in the mv utility of uutils coreutils which allows a local attacker with write access to exploit a race condition during cross-device file transfers. This flaw leads to potential inconsistencies in security attributes like SELinux labels and file capabilities due to multiple path-based system calls that are executed without proper synchronization. Attackers can leverage this timing issue to manipulate files between the checks and the use, ultimately compromising the integrity of the destination file.

References

https://github.com/uutils/coreutils/issues/10014

issue-tracking

CVSS V3.1

Score:

4.7

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 22, 2026
Vulnerability Reserved
Apr 2, 2026

Credit

Zellic

CVE-2026-35354 Data

JSON

Uutils

What is CVE-2026-35354?

References

CVSS V3.1

Timeline

Credit