{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35359", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "state": "PUBLISHED", "assignerShortName": "canonical", "dateReserved": "2026-04-02T12:58:56.087Z", "datePublished": "2026-04-22T16:08:25.506Z", "dateUpdated": "2026-04-22T17:50:54.548Z"}, "containers": {"cna": {"title": "uutils coreutils cp Information Disclosure via Time-of-Check to Time-of-Use Symlink Swap", "affected": [{"vendor": "Uutils", "product": "coreutils", "platforms": ["Linux", "Unix", "macOS"], "collectionURL": "https://github.com/uutils", "packageName": "coreutils", "repo": "https://github.com/uutils/coreutils", "defaultStatus": "affected"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-367", "description": "CWE-367: Time-of-Check Time-of-Use (TOCTOU) Race Condition", "type": "CWE"}, {"lang": "en", "cweId": "CWE-59", "description": "CWE-59: Improper Link Resolution Before File Access ('Link Following')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-29", "descriptions": [{"lang": "en", "value": "CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions"}]}, {"capecId": "CAPEC-132", "descriptions": [{"lang": "en", "value": "CAPEC-132: Symlink Attack"}]}], "descriptions": [{"lang": "en", "value": "A Time-of-Check to Time-of-Use (TOCTOU) vulnerability in the cp utility of uutils coreutils allows an attacker to bypass no-dereference intent. The utility checks if a source path is a symbolic link using path-based metadata but subsequently opens it without the O_NOFOLLOW flag. An attacker with concurrent write access can swap a regular file for a symbolic link during this window, causing a privileged cp process to copy the contents of arbitrary sensitive files into a destination controlled by the attacker."}], "references": [{"url": "https://github.com/uutils/coreutils/issues/10017", "tags": ["issue-tracking"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 4.7, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"}}], "credits": [{"lang": "en", "value": "Zellic", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-04-22T16:08:25.506Z"}}, "adp": [{"references": [{"url": "https://github.com/uutils/coreutils/issues/10017", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T17:50:51.990482Z", "id": "CVE-2026-35359", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T17:50:54.548Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35359", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T17:50:51.990482Z"}}}], "references": [{"url": "https://github.com/uutils/coreutils/issues/10017", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T17:50:44.706Z"}}], "cna": {"title": "uutils coreutils cp Information Disclosure via Time-of-Check to Time-of-Use Symlink Swap", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Zellic"}], "impacts": [{"capecId": "CAPEC-29", "descriptions": [{"lang": "en", "value": "CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions"}]}, {"capecId": "CAPEC-132", "descriptions": [{"lang": "en", "value": "CAPEC-132: Symlink Attack"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/uutils/coreutils", "vendor": "Uutils", "product": "coreutils", "platforms": ["Linux", "Unix", "macOS"], "packageName": "coreutils", "collectionURL": "https://github.com/uutils", "defaultStatus": "affected"}], "references": [{"url": "https://github.com/uutils/coreutils/issues/10017", "tags": ["issue-tracking"]}], "descriptions": [{"lang": "en", "value": "A Time-of-Check to Time-of-Use (TOCTOU) vulnerability in the cp utility of uutils coreutils allows an attacker to bypass no-dereference intent. The utility checks if a source path is a symbolic link using path-based metadata but subsequently opens it without the O_NOFOLLOW flag. An attacker with concurrent write access can swap a regular file for a symbolic link during this window, causing a privileged cp process to copy the contents of arbitrary sensitive files into a destination controlled by the attacker."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-367", "description": "CWE-367: Time-of-Check Time-of-Use (TOCTOU) Race Condition"}, {"lang": "en", "type": "CWE", "cweId": "CWE-59", "description": "CWE-59: Improper Link Resolution Before File Access ('Link Following')"}]}], "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-04-22T16:08:25.506Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35359", "state": "PUBLISHED", "dateUpdated": "2026-04-22T17:50:54.548Z", "dateReserved": "2026-04-02T12:58:56.087Z", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "datePublished": "2026-04-22T16:08:25.506Z", "assignerShortName": "canonical"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:uutils:coreutils:-:*:*:*:*:rust:*:*", "matchCriteriaId": "4A9AF9E4-E17C-48AD-8051-B49998618839", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A Time-of-Check to Time-of-Use (TOCTOU) vulnerability in the cp utility of uutils coreutils allows an attacker to bypass no-dereference intent. The utility checks if a source path is a symbolic link using path-based metadata but subsequently opens it without the O_NOFOLLOW flag. An attacker with concurrent write access can swap a regular file for a symbolic link during this window, causing a privileged cp process to copy the contents of arbitrary sensitive files into a destination controlled by the attacker."}], "id": "CVE-2026-35359", "lastModified": "2026-04-24T19:02:25.720", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 3.6, "source": "security@ubuntu.com", "type": "Secondary"}]}, "published": "2026-04-22T17:16:38.537", "references": [{"source": "security@ubuntu.com", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://github.com/uutils/coreutils/issues/10017"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://github.com/uutils/coreutils/issues/10017"}], "sourceIdentifier": "security@ubuntu.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-59"}, {"lang": "en", "value": "CWE-367"}], "source": "security@ubuntu.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["linux", "unix", "macos"], "status": "affected", "versions": null}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "coreutils", "source": "cna", "vendor": "Uutils"}, "product": "coreutils", "vendor": "uutils"}], "analysis": {"en": {"generated_at": "2026-04-28T08:00:19.786395+00:00", "value": {"mitigation_remediation": ["Apply the latest patched release of uutils coreutils where the cp implementation uses the O_NOFOLLOW flag and removes the TOCTOU race condition (addressing CWE\u2011367 and CWE\u201159).", "Limit write permissions on directories that are subject to cp operations to a minimal set of trusted users, preventing attackers from performing the symlink swap during the check\u2011use window.", "Execute cp under the lowest privilege level required for the copy task, and when elevation is necessary, preferentially use the operating system\u2019s cp command that enforces no\u2011dereference semantics.", "If a fixed binary is not yet available, wrap the cp invocation with a wrapper that checks for symlinks and sets O_NOFOLLOW before opening the source file, thereby mitigating the CWE\u201159 weakness."], "summary": {"action": "Update or Mitigate", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Uutils coreutils product, specifically the cp command. No version numbers are provided, so all current releases that include the cp utility could be vulnerable until a fixed version is released.", "description_and_impact": "A Time\u2011of\u2011Check to Time\u2011of\u2011Use flaw (CWE\u2011367) in the cp utility of uutils coreutils allows an attacker to bypass the no\u2011dereference intent by swapping a regular file for a symbolic link between the check and the open operation, exploiting the lack of the O_NOFOLLOW flag (CWE\u201159). The attacker may use concurrent write access to perform the swap and then cause a privileged cp process to copy the contents of arbitrary sensitive files into a destination the attacker controls, resulting in exposure of confidential data.", "risk_and_exploitability": "The CVSS score of 4.7 marks it as moderate severity. The EPSS score is reported as less than 1\u202f%, indicating a low probability of exploitation currently. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require the attacker to have concurrent write access to the source or destination location and the ability to run the cp command with elevated privileges. Without proper mitigations, the risk remains of confidential data being disclosed."}}}}, "created": "2026-04-22T18:15:15.483590+00:00", "updated": "2026-04-28T08:15:23.644655+00:00", "vendors": ["uutils", "uutils$PRODUCT$coreutils"]}