{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35360", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "state": "PUBLISHED", "assignerShortName": "canonical", "dateReserved": "2026-04-02T12:58:56.088Z", "datePublished": "2026-04-22T16:08:28.218Z", "dateUpdated": "2026-04-22T18:03:26.466Z"}, "containers": {"cna": {"title": "uutils coreutils touch Arbitrary File Truncation via TOCTOU Race Condition", "affected": [{"vendor": "Uutils", "product": "coreutils", "platforms": ["Linux", "Unix", "macOS"], "collectionURL": "https://github.com/uutils", "packageName": "coreutils", "repo": "https://github.com/uutils/coreutils", "defaultStatus": "affected"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-367", "description": "CWE-367: Time-of-Check Time-of-Use (TOCTOU) Race Condition", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-29", "descriptions": [{"lang": "en", "value": "CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions"}]}], "descriptions": [{"lang": "en", "value": "The touch utility in uutils coreutils is vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition during file creation. When the utility identifies a missing path, it later attempts creation using File::create(), which internally uses O_TRUNC. An attacker can exploit this window to create a file or swap a symlink at the target path, causing touch to truncate an existing file and leading to permanent data loss."}], "references": [{"url": "https://github.com/uutils/coreutils/issues/10019", "tags": ["issue-tracking"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "MEDIUM", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H"}}], "credits": [{"lang": "en", "value": "Zellic", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-04-22T16:08:28.218Z"}}, "adp": [{"references": [{"url": "https://github.com/uutils/coreutils/issues/10019", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T18:03:23.474289Z", "id": "CVE-2026-35360", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T18:03:26.466Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35360", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-22T18:03:23.474289Z"}}}], "references": [{"url": "https://github.com/uutils/coreutils/issues/10019", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T18:03:16.052Z"}}], "cna": {"title": "uutils coreutils touch Arbitrary File Truncation via TOCTOU Race Condition", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Zellic"}], "impacts": [{"capecId": "CAPEC-29", "descriptions": [{"lang": "en", "value": "CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/uutils/coreutils", "vendor": "Uutils", "product": "coreutils", "platforms": ["Linux", "Unix", "macOS"], "packageName": "coreutils", "collectionURL": "https://github.com/uutils", "defaultStatus": "affected"}], "references": [{"url": "https://github.com/uutils/coreutils/issues/10019", "tags": ["issue-tracking"]}], "descriptions": [{"lang": "en", "value": "The touch utility in uutils coreutils is vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition during file creation. When the utility identifies a missing path, it later attempts creation using File::create(), which internally uses O_TRUNC. An attacker can exploit this window to create a file or swap a symlink at the target path, causing touch to truncate an existing file and leading to permanent data loss."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-367", "description": "CWE-367: Time-of-Check Time-of-Use (TOCTOU) Race Condition"}]}], "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-04-22T16:08:28.218Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35360", "state": "PUBLISHED", "dateUpdated": "2026-04-22T18:03:26.466Z", "dateReserved": "2026-04-02T12:58:56.088Z", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "datePublished": "2026-04-22T16:08:28.218Z", "assignerShortName": "canonical"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:uutils:coreutils:-:*:*:*:*:rust:*:*", "matchCriteriaId": "4A9AF9E4-E17C-48AD-8051-B49998618839", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The touch utility in uutils coreutils is vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition during file creation. When the utility identifies a missing path, it later attempts creation using File::create(), which internally uses O_TRUNC. An attacker can exploit this window to create a file or swap a symlink at the target path, causing touch to truncate an existing file and leading to permanent data loss."}], "id": "CVE-2026-35360", "lastModified": "2026-04-24T19:02:11.560", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 5.2, "source": "security@ubuntu.com", "type": "Secondary"}]}, "published": "2026-04-22T17:16:38.673", "references": [{"source": "security@ubuntu.com", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://github.com/uutils/coreutils/issues/10019"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://github.com/uutils/coreutils/issues/10019"}], "sourceIdentifier": "security@ubuntu.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-367"}], "source": "security@ubuntu.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["linux", "unix", "macos"], "status": "affected", "versions": null}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "coreutils", "source": "cna", "vendor": "Uutils"}, "product": "coreutils", "vendor": "uutils"}], "analysis": {"en": {"generated_at": "2026-04-28T08:00:06.147125+00:00", "value": {"mitigation_remediation": ["Apply an updated release of uutils coreutils that addresses the TOCTOU race condition once it becomes available.", "Restrict write permissions on directories frequently accessed by the touch command so that only authorized users can create or replace files there.", "Configure the filesystem or use ACLs to prevent ordinary users from creating or modifying symlinks that resolve to critical files.", "Implement file integrity monitoring so that unexpected truncation or changes to important files are rapidly detected and logged."], "summary": {"action": "Patch", "impact": "Data Loss via Arbitrary File Truncation"}, "threat_synthesis": {"affected_systems": "The affected product is uutils coreutils. No specific version information is supplied, so all releases that include the touch utility are potentially vulnerable until a patch is released.", "description_and_impact": "The touch command in uutils coreutils can truncate an existing file when a Time\u2011of\u2011Check to Time\u2011of\u2011Use (TOCTOU) race condition occurs. During file creation, the utility verifies that the target path is missing and later calls File::create(), which internally uses O_TRUNC. An attacker can exploit the window between the check and the use by creating or switching a symbolic link at the target path, causing the touch command to truncate an existing file and permanently erase its data. This weakness corresponds to CWE\u2011367 and can lead to irreversible loss of critical information.", "risk_and_exploitability": "The CVSS score of 6.3 and an EPSS score of less than 1% indicate medium severity and a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is inferred to be local or privileged service execution where the attacker can influence file creation paths. Based on the description, an attacker with write permission to the target directory can create or swap a symlink at the race window, leading to the accidental truncation of an existing file. Because no publicly available patch exists, the risk remains until a fix is applied or mitigated by restrictive permissions."}}}}, "created": "2026-04-22T18:15:15.483260+00:00", "updated": "2026-04-28T08:00:14.358381+00:00", "vendors": ["uutils", "uutils$PRODUCT$coreutils"]}