Medium severity6.3NVD Advisory· Published Apr 22, 2026· Updated Apr 24, 2026
CVE-2026-35364
CVE-2026-35364
Description
A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mv utility of uutils coreutils during cross-device operations. The utility removes the destination path before recreating it through a copy operation. A local attacker with write access to the destination directory can exploit this window to replace the destination with a symbolic link. The subsequent privileged move operation will follow the symlink, allowing the attacker to redirect the write and overwrite an arbitrary target file with contents from the source.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
coreutilscrates.io | <= 0.8.0 | — |
Affected products
4- osv-coords3 versions
< 0.9.0-r0+ 2 more
- (no CPE)range: < 0.9.0-r0
- (no CPE)range: < 0.9.0-r0
- (no CPE)range: <= 0.8.0
Patches
Vulnerability mechanics
References
3- github.com/uutils/coreutils/issues/10015nvdExploitIssue TrackingVendor AdvisoryWEB
- github.com/advisories/GHSA-m976-87wm-48fmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-35364ghsaADVISORY
News mentions
0No linked articles in our index yet.