CVE-2026-35357 PUBLISHED

uutils coreutils cp Information Disclosure via Permission Handling Race

Assigner: canonical
Reserved: 02.04.2026 Published: 22.04.2026 Updated: 22.04.2026

The cp utility in uutils coreutils is vulnerable to an information disclosure race condition. Destination files are initially created with umask-derived permissions (e.g., 0644) before being restricted to their final mode (e.g., 0600) later in the process. A local attacker can race to open the file during this window; once obtained, the file descriptor remains valid and readable even after the permissions are tightened, exposing sensitive or private file contents.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS Score: 4.7

Attack Vector	Local	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Uutils
Product	coreutils
Versions	Default: affected

Credits

Zellic finder

References

https://github.com/uutils/coreutils/issues/10011

Problem Types

CWE-367: Time-of-Check Time-of-Use (TOCTOU) Race Condition CWE

Impacts

CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions