{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35364", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "state": "PUBLISHED", "assignerShortName": "canonical", "dateReserved": "2026-04-02T12:58:56.088Z", "datePublished": "2026-04-22T16:08:38.522Z", "dateUpdated": "2026-04-22T17:22:25.742Z"}, "containers": {"cna": {"title": "uutils coreutils mv Arbitrary File Overwrite via Cross-Device TOCTOU Race Condition", "affected": [{"vendor": "Uutils", "product": "coreutils", "platforms": ["Linux", "Unix", "macOS"], "collectionURL": "https://github.com/uutils", "packageName": "coreutils", "repo": "https://github.com/uutils/coreutils", "defaultStatus": "affected"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-367", "description": "CWE-367: Time-of-Check Time-of-Use (TOCTOU) Race Condition", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-29", "descriptions": [{"lang": "en", "value": "CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions"}]}], "descriptions": [{"lang": "en", "value": "A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mv utility of uutils coreutils during cross-device operations. The utility removes the destination path before recreating it through a copy operation. A local attacker with write access to the destination directory can exploit this window to replace the destination with a symbolic link. The subsequent privileged move operation will follow the symlink, allowing the attacker to redirect the write and overwrite an arbitrary target file with contents from the source."}], "references": [{"url": "https://github.com/uutils/coreutils/issues/10015", "tags": ["issue-tracking"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "MEDIUM", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H"}}], "credits": [{"lang": "en", "value": "Zellic", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-04-22T16:08:38.522Z"}}, "adp": [{"references": [{"url": "https://github.com/uutils/coreutils/issues/10015", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T17:21:47.040687Z", "id": "CVE-2026-35364", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T17:22:25.742Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35364", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T17:21:47.040687Z"}}}], "references": [{"url": "https://github.com/uutils/coreutils/issues/10015", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T17:21:39.628Z"}}], "cna": {"title": "uutils coreutils mv Arbitrary File Overwrite via Cross-Device TOCTOU Race Condition", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Zellic"}], "impacts": [{"capecId": "CAPEC-29", "descriptions": [{"lang": "en", "value": "CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/uutils/coreutils", "vendor": "Uutils", "product": "coreutils", "platforms": ["Linux", "Unix", "macOS"], "packageName": "coreutils", "collectionURL": "https://github.com/uutils", "defaultStatus": "affected"}], "references": [{"url": "https://github.com/uutils/coreutils/issues/10015", "tags": ["issue-tracking"]}], "descriptions": [{"lang": "en", "value": "A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mv utility of uutils coreutils during cross-device operations. The utility removes the destination path before recreating it through a copy operation. A local attacker with write access to the destination directory can exploit this window to replace the destination with a symbolic link. The subsequent privileged move operation will follow the symlink, allowing the attacker to redirect the write and overwrite an arbitrary target file with contents from the source."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-367", "description": "CWE-367: Time-of-Check Time-of-Use (TOCTOU) Race Condition"}]}], "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-04-22T16:08:38.522Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35364", "state": "PUBLISHED", "dateUpdated": "2026-04-22T17:22:25.742Z", "dateReserved": "2026-04-02T12:58:56.088Z", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "datePublished": "2026-04-22T16:08:38.522Z", "assignerShortName": "canonical"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:uutils:coreutils:-:*:*:*:*:rust:*:*", "matchCriteriaId": "4A9AF9E4-E17C-48AD-8051-B49998618839", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mv utility of uutils coreutils during cross-device operations. The utility removes the destination path before recreating it through a copy operation. A local attacker with write access to the destination directory can exploit this window to replace the destination with a symbolic link. The subsequent privileged move operation will follow the symlink, allowing the attacker to redirect the write and overwrite an arbitrary target file with contents from the source."}], "id": "CVE-2026-35364", "lastModified": "2026-04-24T19:19:11.777", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 5.2, "source": "security@ubuntu.com", "type": "Secondary"}]}, "published": "2026-04-22T17:16:39.737", "references": [{"source": "security@ubuntu.com", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://github.com/uutils/coreutils/issues/10015"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://github.com/uutils/coreutils/issues/10015"}], "sourceIdentifier": "security@ubuntu.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-367"}], "source": "security@ubuntu.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["linux", "unix", "macos"], "status": "affected", "versions": null}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "coreutils", "source": "cna", "vendor": "Uutils"}, "product": "coreutils", "vendor": "uutils"}], "analysis": {"en": {"generated_at": "2026-04-27T08:40:04.185050+00:00", "value": {"mitigation_remediation": ["Update uutils coreutils to the latest release that contains the TOCTOU fix.", "Limit write permissions on destination directories to prevent untrusted local users from performing cross\u2011device moves.", "If a patch is not yet available, avoid cross\u2011device moves by copying the file within the same filesystem and then deleting the original, or use safer tools such as rsync with appropriate options."], "summary": {"action": "Patch", "impact": "Arbitrary File Overwrite"}, "threat_synthesis": {"affected_systems": "The affected product is the mv command in the uutils coreutils package. No specific version information is listed, so any unpatched installation of this utility could be vulnerable.", "description_and_impact": "The mv utility in uutils coreutils contains a Time\u2011of\u2011Check to Time\u2011of\u2011Use race condition that occurs during cross\u2011device moves. The tool removes the destination path before copying the new file, creating a window where a local attacker can replace the destination with a symbolic link. When mv then performs the privileged move, it follows the symlink and writes the source contents to an arbitrary target file, potentially corrupting or replacing critical data.", "risk_and_exploitability": "The CVSS score of 6.3 indicates moderate severity. EPSS information is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no widely known exploitation. The attack requires local write access to the destination directory and a cross\u2011device move, conditions that are common on shared or multi\u2011user systems. If an attacker gains this capability, they can overwrite arbitrary files, leading to data loss or potential privilege escalation."}}}}, "created": "2026-04-22T18:15:15.482781+00:00", "updated": "2026-04-27T19:54:17.243277+00:00", "vendors": ["uutils", "uutils$PRODUCT$coreutils"]}