CVE-2026-35374

Name of the Vulnerable Software and Affected Versions uutils coreutils (affected versions not specified)

Description A Time-of-Check to Time-of-Use (TOCTOU) issue exists in the split utility. The program validates that input and output files are not the same by checking their file paths. After this validation, the utility opens the output file with truncation. A local attacker with write access to the directory can exploit this race window by manipulating mutable path components, such as replacing a path with a symbolic link. This allows the utility to truncate and write to an unintended target file, which could be the input file or other sensitive files, resulting in permanent data loss. TOCTOU is a race condition where a system resource is modified between the time it is checked and the time it is used.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.