Fluid Attacks Database

Description

A Time-of-Check to Time-of-Use (TOCTOU) vulnerability in the cp utility of uutils coreutils allows an attacker to bypass no-dereference intent. The utility checks if a source path is a symbolic link using path-based metadata but subsequently opens it without the O_NOFOLLOW flag. An attacker with concurrent write access can swap a regular file for a symbolic link during this window, causing a privileged cp process to copy the contents of arbitrary sensitive files into a destination controlled by the attacker.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version
debian 12	rust-coreutils	=0.0.17-2 \|\| =0.0.17-3 \|\| =0.0.17-4 \|\| =0.0.17-5 \|\| =0.0.17-6 \|\| =0.0.19-1 \|\| =0.0.19-2 \|\| =0.0.19-3 \|\| =0.0.20-1 \|\| =0.0.21-1 \|\| =0.0.22-1 \|\| =0.0.23-1 \|\| =0.0.23-2 \|\| =0.0.23-3 \|\| =0.0.24-1 \|\| =0.0.24-2 \|\| =0.0.26-1 \|\| =0.0.26-2 \|\| =0.0.26-3 \|\| =0.0.26-4 \|\| =0.0.26-5 \|\| =0.0.27-1 \|\| =0.0.27-2 \|\| =0.0.27-3 \|\| =0.0.30-1 \|\| =0.0.30-2 \|\| =0.0.30-3 \|\| =0.0.30-3~exp1 \|\| =0.0.30-4 \|\| =0.6.0-1 \|\| =0.7.0-1
debian 13	rust-coreutils	=0.0.30-2 \|\| =0.0.30-3 \|\| =0.0.30-3~exp1 \|\| =0.0.30-4 \|\| =0.6.0-1 \|\| =0.7.0-1
cargo	coreutils	>=0 <=0.8.0

Aliases

1. CVE-2026-353592. NVD-2026-353593. OSV-DEBIAN-2026-353594. OSV-2026-353595. GCVE-2026-353596. SECURITY-TRACKER-CVE-2026-35359

References

1. https://github.com/uutils/coreutils/issues/10017

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.