CVE-2026-35359

Name of the Vulnerable Software and Affected Versions uutils coreutils (affected versions not specified)

Description A Time-of-Check to Time-of-Use (TOCTOU) issue in the cp utility allows an attacker to bypass no-dereference intent. The utility verifies if a source path is a symbolic link using path-based metadata but opens it without the O NOFOLLOW flag. An attacker with concurrent write access can replace a regular file with a symbolic link during this interval, leading a privileged cp process to copy arbitrary sensitive files into a destination controlled by the attacker. TOCTOU is a race condition where a system resource is modified between the time it is checked and the time it is used.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.