TOCTOU Flaw in coreutils mkfifo: Local Privilege Escalation Risk
The National Vulnerability Database has identified CVE-2026-35352, a Time-of-Check to Time-of-Use (TOCTOU) race condition in the mkfifo utility within uutils coreutils. This flaw allows a local attacker with write permissions to the parent directory to exploit the window between mkfifo creating a FIFO and setting its permissions. By swapping the newly created FIFO for a symbolic link, the attacker can redirect the chmod operation to an arbitrary file, potentially leading to privilege escalation if the utility is executed with elevated rights.
The CVSS score of 7 (HIGH) highlights the severity of this vulnerability. While affected products are not explicitly detailed by the National Vulnerability Database, the nature of the attack implies any system utilizing this version of coreutils is at risk, particularly in shared or multi-user environments where local access is present. Defenders must be aware that even seemingly benign utilities can harbor critical security flaws.
To mitigate this risk, organizations should prioritize patching or updating their uutils coreutils installation to a version that addresses CVE-2026-35352. For systems where patching is not immediately feasible, restricting write access to parent directories where mkfifo might be used, especially by unprivileged users, can serve as a compensating control. Auditing execution logs for suspicious mkfifo usage or permission changes could also provide early detection.
What This Means For You
- If your environment uses uutils coreutils, you need to verify the version and apply patches for CVE-2026-35352 immediately. Pay close attention to systems where local, unprivileged users might have write access to directories where utilities like `mkfifo` are executed, as this is the primary vector for privilege escalation.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Privilege Escalation via coreutils mkfifo TOCTOU Race Condition - CVE-2026-35352
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-35352 | Vulnerability | CVE-2026-35352 |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 22, 2026 at 20:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related Posts
CVE-2026-34066 — nimiq-blockchain provides persistent block storage for
CVE-2026-34066 — nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation. Prior to version 1.3.0, `HistoryStore::put_historic_txns` uses an `assert!` to enforce invariants about `HistoricTransaction.block_number` (must...
Nimiq Primitives Node Panic via Malformed BLS Key
CVE-2026-34065 — nimiq-primitives contains primitives (e.g., block, account, transaction) to be used in Nimiq's Rust implementation. Prior to version 1.3.0, an untrusted p2p peer can...
CVE-2026-34064 — nimiq-account contains account primitives to be used in
CVE-2026-34064 — nimiq-account contains account primitives to be used in Nimiq's Rust implementation. Prior to version 1.3.0, `VestingContract::can_change_balance` returns `AccountError::InsufficientFunds` when `new_balance < min_cap`, but...