CVE-2026-35360

CVSS Score & Metrics

Base Score

6.3 / 10

Vector String

                                        CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H                                    

Vulnerability Description

The touch utility in uutils coreutils is vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition during file creation. When the utility identifies a missing path, it later attempts creation using File::create(), which internally uses O_TRUNC. An attacker can exploit this window to create a file or swap a symlink at the target path, causing touch to truncate an existing file and leading to permanent data loss.

Vulnerability Details

Published Date

April 22, 2026

Last Modified

April 22, 2026

CWE ID

CWE-367

Source

NVD

Vendor

Uutils

Product

coreutils

External References

https://github.com/uutils/coreutils/issues/10019

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment