Skip to content

uucore: safe_traversal TOCTOU protection only enabled on Linux

Low
sylvestre published GHSA-w6xc-g9qj-vp32 May 30, 2026

Package

cargo uucore (Rust)

Affected versions

< 0.6.0

Patched versions

0.6.0

Description

The safe_traversal module in uutils coreutils, which provides protection against Time-of-Check to Time-of-Use (TOCTOU) symlink races using file-descriptor-relative syscalls, is incorrectly limited to Linux targets. On other Unix-like systems such as macOS and FreeBSD, the utility fails to utilize these protections, leaving directory traversal operations vulnerable to symlink race conditions.


Zellic finding 3.59. Reported in the Zellic uutils coreutils Program Security Assessment (for Canonical, Jan 2026), audited commit 3a07ffc5a9bd4c283e75afa548ba1f1957bad242.

Severity

Low

CVE ID

CVE-2026-35362

Weaknesses

Time-of-check Time-of-use (TOCTOU) Race Condition

The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. Learn more on MITRE.