TOCTOU Vulnerability in uutils coreutils Split Utility
CVE-2026-35374

6.3MEDIUM

Key Information:

Vendor: Uutils
Status: Coreutils
Vendor: CVE Published:; 22 April 2026

What is CVE-2026-35374?

A Time-of-Check to Time-of-Use (TOCTOU) vulnerability has been identified in the split utility of uutils coreutils. Although the utility conducts an initial validation of input and output files based on their paths to prevent data loss, it subsequently opens the output file with truncation once this validation is complete. This creates a race condition that a local attacker with write access to the directory can exploit by modifying the file paths, such as substituting a path with a symbolic link. As a result, the split utility may inadvertently write to unexpected files, including sensitive data or the original input file, which can lead to irreversible data loss.

References

https://github.com/uutils/coreutils/pull/11401

issue-trackingpatch

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 22, 2026
Vulnerability Reserved
Apr 2, 2026

Credit

Zellic

CVE-2026-35374 Data

JSON

Uutils

What is CVE-2026-35374?

References

CVSS V3.1

Timeline

Credit