CVE-2026-35359 PUBLISHED

uutils coreutils cp Information Disclosure via Time-of-Check to Time-of-Use Symlink Swap

Assigner: canonical
Reserved: 02.04.2026 Published: 22.04.2026 Updated: 22.04.2026

A Time-of-Check to Time-of-Use (TOCTOU) vulnerability in the cp utility of uutils coreutils allows an attacker to bypass no-dereference intent. The utility checks if a source path is a symbolic link using path-based metadata but subsequently opens it without the O_NOFOLLOW flag. An attacker with concurrent write access can swap a regular file for a symbolic link during this window, causing a privileged cp process to copy the contents of arbitrary sensitive files into a destination controlled by the attacker.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS Score: 4.7

Attack Vector	Local	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Uutils
Product	coreutils
Versions	Default: affected

Credits

Zellic finder

References

https://github.com/uutils/coreutils/issues/10017

Problem Types

CWE-367: Time-of-Check Time-of-Use (TOCTOU) Race Condition CWE
CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE

Impacts

CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
CAPEC-132: Symlink Attack