Low severity3.3NVD Advisory· Published Apr 22, 2026· Updated May 4, 2026

CVE-2026-35342

Description

The mktemp utility in uutils coreutils fails to properly handle an empty TMPDIR environment variable. Unlike GNU mktemp, which falls back to /tmp when TMPDIR is an empty string, the uutils implementation treats the empty string as a valid path. This causes temporary files to be created in the current working directory (CWD) instead of the intended secure temporary directory. If the CWD is more permissive or accessible to other users than /tmp, it may lead to unintended information disclosure or unauthorized access to temporary data.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
coreutilscrates.io	< 0.6.0	0.6.0

Affected products

Uutils/Coreutilsreferences2 versions
(expand)+ 1 more
- (no CPE)
- cpe:2.3:a:uutils:coreutils:*:*:*:*:*:rust:*:*range: <0.6.0

Patches

eb25ec328b22

Merge pull request #10566 from reubenwong97/patch/mktemp-fallback

https://github.com/uutils/coreutilsChris DrydenJan 31, 2026via ghsa

commit

2 files changed · +69 −4

src/uu/mktemp/src/mktemp.rs+12 −4 modified

@@ -44,6 +44,8 @@ const TMPDIR_ENV_VAR: &str = "TMPDIR";
 #[cfg(windows)]
 const TMPDIR_ENV_VAR: &str = "TMP";
 
+const FALLBACK_TMPDIR: &str = "/tmp";
+
 #[derive(Error, Debug)]
 enum MkTempError {
     #[error("{}", translate!("mktemp-error-persist-file", "path" => .0.quote()))]
@@ -119,14 +121,12 @@ impl Options {
                 Some(d) => d.clone(),
                 // Otherwise use $TMPDIR if set, else use the system's default
                 // temporary directory.
-                None => env::var(TMPDIR_ENV_VAR)
-                    .ok()
-                    .map_or_else(env::temp_dir, PathBuf::from),
+                None => get_tmpdir_env_or_default(),
             });
         let (tmpdir, template) = match matches.get_one::<OsString>(ARG_TEMPLATE) {
             // If no template argument is given, `--tmpdir` is implied.
             None => {
-                let tmpdir = Some(tmpdir.unwrap_or_else(env::temp_dir));
+                let tmpdir = Some(tmpdir.unwrap_or_else(get_tmpdir_env_or_default));
                 let template = DEFAULT_TEMPLATE;
                 (tmpdir, OsString::from(template))
             }
@@ -595,6 +595,14 @@ fn exec(dir: &Path, prefix: &str, rand: usize, suffix: &str, make_dir: bool) ->
     Ok(path)
 }
 
+/// Reads from `TMPDIR_ENV_VAR` but defaults to /tmp if value is set to empty string.
+fn get_tmpdir_env_or_default() -> PathBuf {
+    match env::var_os(TMPDIR_ENV_VAR) {
+        Some(val) if val.is_empty() => PathBuf::from(FALLBACK_TMPDIR),
+        _ => env::temp_dir(),
+    }
+}
+
 /// Create a temporary file or directory
 ///
 /// Behavior is determined by the `options` parameter, see [`Options`] for details.

tests/by-util/test_mktemp.rs+57 −0 modified

@@ -862,6 +862,63 @@ fn test_nonexistent_tmpdir_env_var() {
     }
 }
 
+#[test]
+fn test_empty_tmpdir_env_var() {
+    #[cfg(not(any(windows, target_os = "android")))]
+    {
+        let result = new_ucmd!().env(TMPDIR, "").succeeds();
+        assert!(result.stdout_str().starts_with("/tmp"));
+    }
+
+    #[cfg(any(windows, target_os = "android"))]
+    {
+        let result = new_ucmd!().env(TMPDIR, "").fails();
+        result.no_stdout();
+        let stderr = result.stderr_str();
+        assert!(
+            stderr.starts_with("mktemp: failed to create file via template"),
+            "{stderr}"
+        );
+        #[cfg(windows)]
+        assert!(
+            stderr.ends_with("/tmp\\tmp.XXXXXXXXXX': No such file or directory\n"),
+            "{stderr}",
+        );
+        #[cfg(target_os = "android")]
+        assert!(
+            stderr.ends_with("/tmp/tmp.XXXXXXXXXX': No such file or directory\n"),
+            "{stderr}",
+        );
+    }
+
+    #[cfg(not(any(windows, target_os = "android")))]
+    {
+        let result = new_ucmd!().env(TMPDIR, "").arg("-d").succeeds();
+        assert!(result.stdout_str().starts_with("/tmp"));
+    }
+
+    #[cfg(any(windows, target_os = "android"))]
+    {
+        let result = new_ucmd!().env(TMPDIR, "").arg("-d").fails();
+        result.no_stdout();
+        let stderr = result.stderr_str();
+        assert!(
+            stderr.starts_with("mktemp: failed to create directory via template"),
+            "{stderr}"
+        );
+        #[cfg(windows)]
+        assert!(
+            stderr.ends_with("/tmp\\tmp.XXXXXXXXXX': No such file or directory\n"),
+            "{stderr}",
+        );
+        #[cfg(target_os = "android")]
+        assert!(
+            stderr.ends_with("/tmp/tmp.XXXXXXXXXX': No such file or directory\n"),
+            "{stderr}",
+        );
+    }
+}
+
 #[test]
 fn test_nonexistent_dir_prefix() {
     #[cfg(not(windows))]

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/uutils/coreutils/pull/10566nvdIssue TrackingPatchWEB
github.com/advisories/GHSA-2cxp-xq3c-mjxxghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-35342ghsaADVISORY
github.com/uutils/coreutils/commit/eb25ec328b226d8fbbaa4058bf9187165bf06d51ghsaWEB
github.com/uutils/coreutils/releases/tag/0.6.0nvdRelease NotesWEB

News mentions

No linked articles in our index yet.

cvss	0.214
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000