CVE-2026-35364: uutils coreutils has a Time-of-check Time-of-use (TOCTOU) Race Condition

April 22, 2026 (updated April 30, 2026)

A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mv utility of uutils coreutils during cross-device operations. The utility removes the destination path before recreating it through a copy operation. A local attacker with write access to the destination directory can exploit this window to replace the destination with a symbolic link. The subsequent privileged move operation will follow the symlink, allowing the attacker to redirect the write and overwrite an arbitrary target file with contents from the source.

References

github.com/advisories/GHSA-m976-87wm-48fm
github.com/uutils/coreutils
github.com/uutils/coreutils/issues/10015
nvd.nist.gov/vuln/detail/CVE-2026-35364

Code Behaviors & Features

Detect and mitigate CVE-2026-35364 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →