Information Disclosure in Uutils Coreutils cp Utility
CVE-2026-35357

4.7MEDIUM

Key Information:

Vendor: Uutils
Status: Coreutils
Vendor: CVE Published:; 22 April 2026

What is CVE-2026-35357?

The cp utility within Uutils Coreutils is susceptible to an information disclosure race condition. When files are created, they initially inherit permissions based on the umask setting (such as 0644), and these permissions are updated to more restrictive settings (like 0600) later in the process. A local attacker may exploit this timing window to open the file while it still has the broader permissions. As a result, even after permissions are tightened, the attacker can access the file descriptor, leading to potential exposure of sensitive or confidential information.

References

https://github.com/uutils/coreutils/issues/10011

issue-tracking

CVSS V3.1

Score:

4.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 22, 2026
Vulnerability Reserved
Apr 2, 2026

Credit

Zellic

CVE-2026-35357 Data

JSON