TOCTOU Race Condition in mv Utility of Uutils Coreutils
CVE-2026-35364

6.3MEDIUM

Key Information:

Vendor: Uutils
Status: Coreutils
Vendor: CVE Published:; 22 April 2026

What is CVE-2026-35364?

A Time-of-Check to Time-of-Use (TOCTOU) race condition is present in the mv utility of Uutils Coreutils, affecting its functionality during cross-device operations. When executing a copy operation, the process removes the destination path before recreating it. This creates a vulnerability where a local attacker with write access to the destination directory can exploit the timing issue to replace the intended destination with a symbolic link. This manipulation allows the privileged move operation to follow the symlink, enabling the attacker to redirect the write and overwrite arbitrary target files with content from the source, potentially leading to unauthorized data exposure or corruption.

References

https://github.com/uutils/coreutils/issues/10015

issue-tracking

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 22, 2026
Vulnerability Reserved
Apr 2, 2026

Credit

Zellic

CVE-2026-35364 Data

JSON