CVE-2026-35362

· NIST NVD ↗

The safe_traversal module in uutils coreutils, which provides protection against Time-of-Check to Time-of-Use (TOCTOU) symlink races using file-descriptor-relative syscalls, is incorrectly limited to Linux targets. On other Unix-like systems such as macOS and FreeBSD, the utility fails to utilize these protections, leaving directory traversal operations vulnerable to symlink race conditions.

LOW
CVSS severity
3.6
CVSS base score
2026-04-22
Published

CWE codes

CWE-367

Affected products

uutils:coreutils

Sources