Directory Traversal Vulnerability in Uutils Coreutils on Unix-like Systems
CVE-2026-35362

3.6LOW

Key Information:

Vendor

Uutils

Status
Coreutils
Vendor
CVE Published:
22 April 2026

What is CVE-2026-35362?

The safe_traversal module in Uutils Coreutils incorrectly restricts its symlink race protection to Linux, exposing Unix-like systems, including macOS and FreeBSD, to directory traversal vulnerabilities. As a result, these systems lack the necessary safeguards against Time-of-Check to Time-of-Use (TOCTOU) symlink race conditions, which can lead to unauthorized access to sensitive files and directories during directory traversal operations.

Affected Version(s)

coreutils Unix 0 < 0.6.0

References

https://github.com/uutils/coreutils/pull/9792
issue-trackingpatch
https://github.com/uutils/coreutils/releases/tag/0.6.0
vendor-advisory

CVSS V3.1

Score:
3.6
Severity:
LOW
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Zellic
.