Skip to content

mknod: device nodes created mislabeled on SELinux, with broken cleanup (remove_dir on a node)

High
sylvestre published GHSA-r9hw-mj3w-phcq May 30, 2026

Package

cargo uu_mknod (Rust)

Affected versions

< 0.6.0

Patched versions

0.6.0

Description

uutils calls mknod before setting the SELinux context (GNU uses setfscreatecon first, labeling atomically). If set_selinux_security_context fails, cleanup uses std::fs::remove_dir, which cannot remove device nodes or FIFOs, leaving the mislabeled node behind.

Impact: on SELinux-enforcing systems the node is created with the wrong context; the command reports failure but leaves a mislabeled device node that may bypass mandatory access control, and orphaned nodes can persist across reboots. Recommendation: use setfscreatecon before mknod, abort on failure, and use remove_file for cleanup.

Remediation: Acknowledged by Canonical.


Reported by Zellic in the uutils coreutils Program Security Assessment (prepared for Canonical, Jan 20 2026), audited commit 3a07ffc5a9bd4c283e75afa548ba1f1957bad242. Finding 3.58. Credit: Zellic.

Severity

High

CVE ID

CVE-2026-35361

Weaknesses

Incomplete Cleanup

The product does not properly clean up and remove temporary or supporting resources after they have been used. Learn more on MITRE.

Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. Learn more on MITRE.