CVE-2026-35342: uutils coreutils' mktemp utility doesn't properly handle an empty TMPDIR environment variable

April 22, 2026 (updated April 29, 2026)

The mktemp utility in uutils coreutils fails to properly handle an empty TMPDIR environment variable. Unlike GNU mktemp, which falls back to /tmp when TMPDIR is an empty string, the uutils implementation treats the empty string as a valid path. This causes temporary files to be created in the current working directory (CWD) instead of the intended secure temporary directory. If the CWD is more permissive or accessible to other users than /tmp, it may lead to unintended information disclosure or unauthorized access to temporary data.

References

github.com/advisories/GHSA-2cxp-xq3c-mjxx
github.com/uutils/coreutils
github.com/uutils/coreutils/commit/eb25ec328b226d8fbbaa4058bf9187165bf06d51
github.com/uutils/coreutils/pull/10566
github.com/uutils/coreutils/releases/tag/0.6.0
nvd.nist.gov/vuln/detail/CVE-2026-35342

Code Behaviors & Features

Detect and mitigate CVE-2026-35342 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →