Medium severity4.7NVD Advisory· Published Apr 22, 2026· Updated Apr 24, 2026
CVE-2026-35357
CVE-2026-35357
Description
The cp utility in uutils coreutils is vulnerable to an information disclosure race condition. Destination files are initially created with umask-derived permissions (e.g., 0644) before being restricted to their final mode (e.g., 0600) later in the process. A local attacker can race to open the file during this window; once obtained, the file descriptor remains valid and readable even after the permissions are tightened, exposing sensitive or private file contents.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
coreutilscrates.io | <= 0.8.0 | — |
Affected products
4- osv-coords3 versions
< 0.9.0-r0+ 2 more
- (no CPE)range: < 0.9.0-r0
- (no CPE)range: < 0.9.0-r0
- (no CPE)range: <= 0.8.0
Patches
Vulnerability mechanics
References
3- github.com/uutils/coreutils/issues/10011nvdExploitIssue TrackingVendor AdvisoryWEB
- github.com/advisories/GHSA-2m8x-mvfx-gwgjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-35357ghsaADVISORY
News mentions
0No linked articles in our index yet.