CVE-2026-35352

Name of the Vulnerable Software and Affected Versions uutils coreutils (affected versions not specified)

Description A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mkfifo utility. This occurs when the utility creates a FIFO and subsequently performs a path-based chmod to set permissions. A local attacker with write access to the parent directory can replace the newly created FIFO with a symbolic link between these two operations, redirecting the chmod call to an arbitrary file. This may lead to privilege escalation if the utility is executed with elevated privileges. TOCTOU is a software bug where a system checks the state of a resource before using it, but the state changes between the check and the use.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.