{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5958", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "state": "PUBLISHED", "assignerShortName": "CERT-PL", "dateReserved": "2026-04-09T09:42:24.687Z", "datePublished": "2026-04-20T11:59:32.214Z", "dateUpdated": "2026-05-13T05:17:46.051Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Sed", "repo": "https://gitweb.git.savannah.gnu.org/gitweb/?p=sed.git", "vendor": "GNU", "versions": [{"lessThan": "4.10", "status": "affected", "version": "4.1e", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Micha\u0142 Majchrowicz (AFINE Team)"}, {"lang": "en", "type": "finder", "value": "Marcin Wyczechowski (AFINE Team)"}], "datePublic": "2026-04-20T12:03:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "When sed is invoked with both -i (in-place edit) and --follow-symlinks, the function open_next_file() performs two separate, non-atomic filesystem operations on the same path: <br>1. resolves symlink to its target and stores&nbsp;the resolved path for determining when output is written,<br>2. opens the original symlink path&nbsp;(not the resolved one) to read the file. <br>Between these two calls there is a race window. If an attacker atomically replaces the symlink with a different target during that window, sed will: read content from the new (attacker-chosen) symlink target and write the processed result to the path recorded in step 1.&nbsp;This can lead to arbitrary file overwrite with attacker-controlled content in the context of the sed process.<br><br><br>This issue was fixed in version 4.10."}], "value": "When sed is invoked with both -i (in-place edit) and --follow-symlinks, the function open_next_file() performs two separate, non-atomic filesystem operations on the same path: \n1. resolves symlink to its target and stores\u00a0the resolved path for determining when output is written,\n2. opens the original symlink path\u00a0(not the resolved one) to read the file. \nBetween these two calls there is a race window. If an attacker atomically replaces the symlink with a different target during that window, sed will: read content from the new (attacker-chosen) symlink target and write the processed result to the path recorded in step 1.\u00a0This can lead to arbitrary file overwrite with attacker-controlled content in the context of the sed process.\n\n\nThis issue was fixed in version 4.10."}], "impacts": [{"capecId": "CAPEC-29", "descriptions": [{"lang": "en", "value": "CAPEC-29 Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "baseScore": 2.1, "baseSeverity": "LOW", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-367", "description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2026-04-20T12:05:22.221Z"}, "references": [{"tags": ["product"], "url": "https://www.gnu.org/software/sed/"}, {"tags": ["third-party-advisory"], "url": "https://cert.pl/en/posts/2026/04/CVE-2026-5958"}], "source": {"discovery": "EXTERNAL"}, "tags": ["x_open-source"], "title": "Race Condition in GNU Sed", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T13:25:51.313140Z", "id": "CVE-2026-5958", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T13:25:59.530Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/05/13/1"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-05-13T05:17:46.051Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/05/13/1"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-05-13T05:17:46.051Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5958", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T13:25:51.313140Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T13:25:56.168Z"}}], "cna": {"tags": ["x_open-source"], "title": "Race Condition in GNU Sed", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Micha\u0142 Majchrowicz (AFINE Team)"}, {"lang": "en", "type": "finder", "value": "Marcin Wyczechowski (AFINE Team)"}], "impacts": [{"capecId": "CAPEC-29", "descriptions": [{"lang": "en", "value": "CAPEC-29 Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 2.1, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://gitweb.git.savannah.gnu.org/gitweb/?p=sed.git", "vendor": "GNU", "product": "Sed", "versions": [{"status": "affected", "version": "4.1e", "lessThan": "4.10", "versionType": "custom"}], "defaultStatus": "unaffected"}], "datePublic": "2026-04-20T12:03:00.000Z", "references": [{"url": "https://www.gnu.org/software/sed/", "tags": ["product"]}, {"url": "https://cert.pl/en/posts/2026/04/CVE-2026-5958", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "When sed is invoked with both -i (in-place edit) and --follow-symlinks, the function open_next_file() performs two separate, non-atomic filesystem operations on the same path: \n1. resolves symlink to its target and stores\u00a0the resolved path for determining when output is written,\n2. opens the original symlink path\u00a0(not the resolved one) to read the file. \nBetween these two calls there is a race window. If an attacker atomically replaces the symlink with a different target during that window, sed will: read content from the new (attacker-chosen) symlink target and write the processed result to the path recorded in step 1.\u00a0This can lead to arbitrary file overwrite with attacker-controlled content in the context of the sed process.\n\n\nThis issue was fixed in version 4.10.", "supportingMedia": [{"type": "text/html", "value": "When sed is invoked with both -i (in-place edit) and --follow-symlinks, the function open_next_file() performs two separate, non-atomic filesystem operations on the same path: <br>1. resolves symlink to its target and stores&nbsp;the resolved path for determining when output is written,<br>2. opens the original symlink path&nbsp;(not the resolved one) to read the file. <br>Between these two calls there is a race window. If an attacker atomically replaces the symlink with a different target during that window, sed will: read content from the new (attacker-chosen) symlink target and write the processed result to the path recorded in step 1.&nbsp;This can lead to arbitrary file overwrite with attacker-controlled content in the context of the sed process.<br><br><br>This issue was fixed in version 4.10.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-367", "description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2026-04-20T12:05:22.221Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5958", "state": "PUBLISHED", "dateUpdated": "2026-05-13T05:17:46.051Z", "dateReserved": "2026-04-09T09:42:24.687Z", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "datePublished": "2026-04-20T11:59:32.214Z", "assignerShortName": "CERT-PL"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "When sed is invoked with both -i (in-place edit) and --follow-symlinks, the function open_next_file() performs two separate, non-atomic filesystem operations on the same path: \n1. resolves symlink to its target and stores\u00a0the resolved path for determining when output is written,\n2. opens the original symlink path\u00a0(not the resolved one) to read the file. \nBetween these two calls there is a race window. If an attacker atomically replaces the symlink with a different target during that window, sed will: read content from the new (attacker-chosen) symlink target and write the processed result to the path recorded in step 1.\u00a0This can lead to arbitrary file overwrite with attacker-controlled content in the context of the sed process.\n\n\nThis issue was fixed in version 4.10."}], "id": "CVE-2026-5958", "lastModified": "2026-05-13T06:16:14.780", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cvd@cert.pl", "type": "Secondary"}]}, "published": "2026-04-20T12:16:08.433", "references": [{"source": "cvd@cert.pl", "url": "https://cert.pl/en/posts/2026/04/CVE-2026-5958"}, {"source": "cvd@cert.pl", "url": "https://www.gnu.org/software/sed/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/05/13/1"}], "sourceIdentifier": "cvd@cert.pl", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-367"}], "source": "cvd@cert.pl", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[4.1e,4.10)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Sed", "source": "cna", "vendor": "GNU"}, "product": "sed", "vendor": "gnu"}], "analysis": {"en": {"generated_at": "2026-04-20T13:50:37.062248+00:00", "value": {"mitigation_remediation": ["Upgrade GNU Sed to version 4.10 or newer to eliminate the race condition", "If an upgrade is not immediately possible, avoid using the --follow-symlinks option together with -i", "Restrict the permissions of the directory and symlinks involved so that only trusted users can modify them, or run sed in a restricted environment (e.g., container) where symlink changes are not possible"], "summary": {"action": "Update Sed", "impact": "Arbitrary file overwrite"}, "threat_synthesis": {"affected_systems": "Version information is not explicitly listed, but the advisory notes that the problem was fixed in sed 4.10. Therefore, all GNU Sed installations older than 4.10 that invoke -i together with --follow-symlinks are vulnerable. The flaw applies to systems running standard Sed binaries on Unix\u2011like platforms where an attacker can change the target of a symlink during the race window.", "description_and_impact": "The vulnerability is a race condition that occurs when GNU Sed is called with the -i (in-place edit) and --follow-symlinks options. The program resolves a symlink to its target and records that target, then opens the original path to read the file. Between those two operations the attacker can replace the symlink atomically, causing Sed to read from a new target and write the processed result to the original path. This flaw is a CWE\u2011367 concurrent modification issue and can lead to arbitrary file overwrite with attacker\u2011controlled content. The impact is limited to situations where Sed is run with both options; no information leaks or denial of service are described.", "risk_and_exploitability": "The CVSS score of 2.1 indicates a low\u2011severity vulnerability. EPS score is unavailable and the vulnerability is not in the CISA KEV catalog, meaning no large\u2011scale exploit activity is currently documented. The most likely attack vector is a local attacker who can run or influence a Sed process and can modify symlinks on the same filesystem. Successful exploitation requires the attacker to read from the new symlink target and overwrite the recorded target; thus the threat is limited to privileged or compromised local environments rather than remote attacks."}}}}, "created": "2026-04-20T13:30:05.576439+00:00", "updated": "2026-04-20T14:00:08.157303+00:00", "vendors": ["gnu", "gnu$PRODUCT$sed"]}