CVE-2026-35356

Name of the Vulnerable Software and Affected Versions uutils coreutils (affected versions not specified)

Description A Time-of-Check to Time-of-Use (TOCTOU) issue exists in the install utility when using the '-D' flag. The command creates parent directories and then performs a second path resolution to create the target file, without anchoring either process to a directory file descriptor. An attacker with concurrent write access can replace a path component with a symbolic link between these operations, redirecting the privileged write to an arbitrary file system location. TOCTOU is a race condition where a system resource is modified between the time it is checked and the time it is used.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.