Medium severity6.3NVD Advisory· Published Apr 22, 2026· Updated Apr 24, 2026

CVE-2026-35360

Description

The touch utility in uutils coreutils is vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition during file creation. When the utility identifies a missing path, it later attempts creation using File::create(), which internally uses O_TRUNC. An attacker can exploit this window to create a file or swap a symlink at the target path, causing touch to truncate an existing file and leading to permanent data loss.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
coreutilscrates.io	<= 0.8.0	—

Affected products

Uutils/Coreutils
cpe:2.3:a:uutils:coreutils:-:*:*:*:*:rust:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/uutils/coreutils/issues/10019nvdExploitIssue TrackingVendor AdvisoryWEB
github.com/advisories/GHSA-q6m9-xj2w-xmrcghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-35360ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.410
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000