GHSA-x4mc-mqm7-gg39

Source

https://github.com/advisories/GHSA-x4mc-mqm7-gg39

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-x4mc-mqm7-gg39/GHSA-x4mc-mqm7-gg39.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-x4mc-mqm7-gg39

Aliases

CVE-2026-35354

Related

CGA-wh9c-cvv4-frq3

Published

2026-04-22T18:31:45Z

Modified

2026-06-02T18:29:35.130778116Z

Severity

4.7 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

uutils coreutils has a Time-of-Check to Time-of-Use (TOCTOU) race condition

Details

A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the mv utility of uutils coreutils during cross-device moves. The extended attribute (xattr) preservation logic uses multiple path-based system calls that perform fresh path-to-inode lookups for each operation. A local attacker with write access to the directory can exploit this race to swap files between calls, causing the destination file to receive an inconsistent mix of security xattrs, such as SELinux labels or file capabilities.

Database specific

{
    "cwe_ids": [
        "CWE-367"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-30T17:10:41Z",
    "nvd_published_at": "2026-04-22T17:16:37Z",
    "severity": "MODERATE"
}

References

Affected packages

crates.io / coreutils

Package

Name: coreutils; View open source insights on deps.dev
Purl: pkg:cargo/coreutils

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

0.8.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-x4mc-mqm7-gg39/GHSA-x4mc-mqm7-gg39.json"