CVE-2026-35359: uutils coreutils has a Link Following issue

April 22, 2026 (updated April 30, 2026)

A Time-of-Check to Time-of-Use (TOCTOU) vulnerability in the cp utility of uutils coreutils allows an attacker to bypass no-dereference intent. The utility checks if a source path is a symbolic link using path-based metadata but subsequently opens it without the O_NOFOLLOW flag. An attacker with concurrent write access can swap a regular file for a symbolic link during this window, causing a privileged cp process to copy the contents of arbitrary sensitive files into a destination controlled by the attacker.

References

github.com/advisories/GHSA-hpfw-mqm3-33jh
github.com/uutils/coreutils
github.com/uutils/coreutils/issues/10017
nvd.nist.gov/vuln/detail/CVE-2026-35359

Code Behaviors & Features

Detect and mitigate CVE-2026-35359 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →