Time-of-Check to Time-of-Use Vulnerability in uutils Coreutils
CVE-2026-35376

4.5MEDIUM

Key Information:

Vendor: Uutils
Status: Coreutils
Vendor: CVE Published:; 22 April 2026

What is CVE-2026-35376?

A timing attack vulnerability has been identified in the chcon utility of uutils coreutils that arises during recursive operations. This issue stems from the method in which recursive targets are resolved; the implementation uses a fresh path lookup that decouples it from the directory state encountered during traversal. Consequently, a local attacker with write access can exploit timing-sensitive rename or symbolic link races. This may allow them to redirect privileged recursive relabeling processes to unintended files or directories. Such exploitation undermines the hardening protocols for SELinux administration workflows and can lead to unauthorized modifications of security labels on crucial system objects.

Affected Version(s)

coreutils Linux 0 < 0.8.0

References

https://github.com/uutils/coreutils/pull/11402

patchissue-tracking

https://github.com/uutils/coreutils/releases/tag/0.8.0

vendor-advisory

CVSS V3.1

Score:

4.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 22, 2026
Vulnerability Reserved
Apr 2, 2026

Credit

Zellic

CVE-2026-35376 Data

JSON