{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35360", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "state": "PUBLISHED", "assignerShortName": "canonical", "dateReserved": "2026-04-02T12:58:56.088Z", "datePublished": "2026-04-22T16:08:28.218Z", "dateUpdated": "2026-04-22T18:03:26.466Z"}, "containers": {"cna": {"title": "uutils coreutils touch Arbitrary File Truncation via TOCTOU Race Condition", "affected": [{"vendor": "Uutils", "product": "coreutils", "platforms": ["Linux", "Unix", "macOS"], "collectionURL": "https://github.com/uutils", "packageName": "coreutils", "repo": "https://github.com/uutils/coreutils", "defaultStatus": "affected"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-367", "description": "CWE-367: Time-of-Check Time-of-Use (TOCTOU) Race Condition", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-29", "descriptions": [{"lang": "en", "value": "CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions"}]}], "descriptions": [{"lang": "en", "value": "The touch utility in uutils coreutils is vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition during file creation. When the utility identifies a missing path, it later attempts creation using File::create(), which internally uses O_TRUNC. An attacker can exploit this window to create a file or swap a symlink at the target path, causing touch to truncate an existing file and leading to permanent data loss."}], "references": [{"url": "https://github.com/uutils/coreutils/issues/10019", "tags": ["issue-tracking"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "MEDIUM", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H"}}], "credits": [{"lang": "en", "value": "Zellic", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-04-22T16:08:28.218Z"}}, "adp": [{"references": [{"url": "https://github.com/uutils/coreutils/issues/10019", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T18:03:23.474289Z", "id": "CVE-2026-35360", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T18:03:26.466Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35360", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-22T18:03:23.474289Z"}}}], "references": [{"url": "https://github.com/uutils/coreutils/issues/10019", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T18:03:16.052Z"}}], "cna": {"title": "uutils coreutils touch Arbitrary File Truncation via TOCTOU Race Condition", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Zellic"}], "impacts": [{"capecId": "CAPEC-29", "descriptions": [{"lang": "en", "value": "CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/uutils/coreutils", "vendor": "Uutils", "product": "coreutils", "platforms": ["Linux", "Unix", "macOS"], "packageName": "coreutils", "collectionURL": "https://github.com/uutils", "defaultStatus": "affected"}], "references": [{"url": "https://github.com/uutils/coreutils/issues/10019", "tags": ["issue-tracking"]}], "descriptions": [{"lang": "en", "value": "The touch utility in uutils coreutils is vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition during file creation. When the utility identifies a missing path, it later attempts creation using File::create(), which internally uses O_TRUNC. An attacker can exploit this window to create a file or swap a symlink at the target path, causing touch to truncate an existing file and leading to permanent data loss."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-367", "description": "CWE-367: Time-of-Check Time-of-Use (TOCTOU) Race Condition"}]}], "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-04-22T16:08:28.218Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35360", "state": "PUBLISHED", "dateUpdated": "2026-04-22T18:03:26.466Z", "dateReserved": "2026-04-02T12:58:56.088Z", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "datePublished": "2026-04-22T16:08:28.218Z", "assignerShortName": "canonical"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The touch utility in uutils coreutils is vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition during file creation. When the utility identifies a missing path, it later attempts creation using File::create(), which internally uses O_TRUNC. An attacker can exploit this window to create a file or swap a symlink at the target path, causing touch to truncate an existing file and leading to permanent data loss."}], "id": "CVE-2026-35360", "lastModified": "2026-04-22T21:23:52.620", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 5.2, "source": "security@ubuntu.com", "type": "Secondary"}]}, "published": "2026-04-22T17:16:38.673", "references": [{"source": "security@ubuntu.com", "url": "https://github.com/uutils/coreutils/issues/10019"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/uutils/coreutils/issues/10019"}], "sourceIdentifier": "security@ubuntu.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-367"}], "source": "security@ubuntu.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T18:09:50.644181+00:00", "value": {"mitigation_remediation": ["Install an updated release of uutils coreutils that addresses the TOCTOU race condition once it becomes available.", "Where an update cannot be applied immediately, restrict write permissions on directories that are frequently accessed by the touch command so that only authorized users can create or replace files there.", "Configure the filesystem or use access control lists (ACLs) to prevent ordinary users from creating or modifying symlinks that resolve to critical files.", "Implement file integrity monitoring so that unexpected truncation or changes to important files are rapidly detected and logged."], "summary": {"action": "Patch", "impact": "Data Loss via Arbitrary File Truncation"}, "threat_synthesis": {"affected_systems": "The affected product is uutils coreutils. No specific version information is supplied, so all releases that include the touch utility are potentially vulnerable until a patch is released.", "description_and_impact": "The touch command in uutils coreutils can truncate an existing file when a Time\u2011of\u2011Check to Time\u2011of\u2011Use (TOCTOU) race condition occurs. During file creation, the utility verifies that the target path is missing and later calls File::create(), which internally uses O_TRUNC. An attacker can exploit the window between the check and the use by creating or switching a symbolic link at the target path, causing the touch command to truncate an existing file and permanently erase its data. This weakness corresponds to CWE\u2011367 and can lead to irreversible loss of critical information.", "risk_and_exploitability": "The CVSS score of 6.3 indicates a medium severity vulnerability. Although the EPSS score is not provided, the risk of exploitation depends on the attacker\u2019s ability to influence file creation paths. The vulnerability is not currently listed in the CISA KEV catalog. It is most likely exploitable in a local environment where the attacker has write permission to the target directory, or remotely if a privileged service runs touch with elevated rights. An attacker with such access could deliberately truncate a file by swapping a symlink at the target path during the race window. The absence of a publicly available patch suggests the need for immediate mitigation to prevent potential data loss."}}}}, "created": "2026-04-22T18:15:15.483260+00:00", "updated": "2026-04-22T18:15:15.483271+00:00", "vendors": []}