Fluid Attacks Database

Description

A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the install utility of uutils coreutils when using the -D flag. The command creates parent directories and subsequently performs a second path resolution to create the target file, neither of which is anchored to a directory file descriptor. An attacker with concurrent write access can replace a path component with a symbolic link between these operations, redirecting the privileged write to an arbitrary file system location.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	rust-coreutils	=0.0.30-2 \|\| =0.0.30-3 \|\| =0.0.30-3~exp1 \|\| =0.0.30-4 \|\| =0.6.0-1 \|\| =0.7.0-1	-
debian 12	rust-coreutils	=0.0.17-2 \|\| =0.0.17-3 \|\| =0.0.17-4 \|\| =0.0.17-5 \|\| =0.0.17-6 \|\| =0.0.19-1 \|\| =0.0.19-2 \|\| =0.0.19-3 \|\| =0.0.20-1 \|\| =0.0.21-1 \|\| =0.0.22-1 \|\| =0.0.23-1 \|\| =0.0.23-2 \|\| =0.0.23-3 \|\| =0.0.24-1 \|\| =0.0.24-2 \|\| =0.0.26-1 \|\| =0.0.26-2 \|\| =0.0.26-3 \|\| =0.0.26-4 \|\| =0.0.26-5 \|\| =0.0.27-1 \|\| =0.0.27-2 \|\| =0.0.27-3 \|\| =0.0.30-1 \|\| =0.0.30-2 \|\| =0.0.30-3 \|\| =0.0.30-3~exp1 \|\| =0.0.30-4 \|\| =0.6.0-1 \|\| =0.7.0-1	-
cargo	coreutils	>=0 <0.7.0	0.7.0

Aliases

1. CVE-2026-353562. NVD-2026-353563. OSV-DEBIAN-2026-353564. OSV-2026-353565. GCVE-2026-353566. SECURITY-TRACKER-CVE-2026-35356

References

1. https://github.com/uutils/coreutils/pull/101402. https://github.com/uutils/coreutils/commit/0c41299975f3c1e21cf5ca968d42cad55ceb42a13. https://github.com/uutils/coreutils/releases/tag/0.7.0

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.