CVE-2026-35357

Name of the Vulnerable Software and Affected Versions uutils coreutils (affected versions not specified)

Description The cp utility is subject to an information disclosure race condition. Destination files are initially created using permissions derived from the umask (for example, 0644) before the process restricts them to their final mode (for example, 0600). A local attacker can exploit this timing window to open the file; the resulting file descriptor remains valid and readable even after permissions are tightened, allowing access to sensitive or private content.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.