UBUNTU-CVE-2026-35354

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2026-35354

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-35354.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-35354

Upstream

CVE-2026-35354

Published

2026-04-22T17:16:00Z

Modified

2026-05-20T16:25:36.450577963Z

Severity

4.7 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the mv utility of uutils coreutils during cross-device moves. The extended attribute (xattr) preservation logic uses multiple path-based system calls that perform fresh path-to-inode lookups for each operation. A local attacker with write access to the directory can exploit this race to swap files between calls, causing the destination file to receive an inconsistent mix of security xattrs, such as SELinux labels or file capabilities.

References

Affected packages

Ubuntu:24.04:LTS / rust-coreutils

Package

Name: rust-coreutils
Purl: pkg:deb/ubuntu/rust-coreutils?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.0.20-1

0.0.22-1

0.0.23-1

0.0.23-2

0.0.23-3

0.0.24-1

0.0.24-2

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.0.24-2",
            "binary_name": "rust-coreutils"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-35354.json"

Ubuntu:25.10 / rust-coreutils

Package

Name: rust-coreutils
Purl: pkg:deb/ubuntu/rust-coreutils?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.0.30-1

0.0.30-2

0.0.30-2ubuntu2

0.1.0-0ubuntu1

0.1.0+git20250711.2ba3a33-0ubuntu1

0.1.0+git20250711.2ba3a33-0ubuntu2

0.1.0+git20250711.2ba3a33-0ubuntu3

0.1.0+git20250711.2ba3a33-0ubuntu4

0.1.0+git20250801.cf79675-0ubuntu1

0.1.0+git20250813.4af2a84-0ubuntu2

0.1.0+git20250813.4af2a84-0ubuntu4

0.1.0+git20250813.4af2a84-0ubuntu6

0.1.0+git20250813.4af2a84-0ubuntu7

0.2.2-0ubuntu1

0.2.2-0ubuntu2

0.2.2-0ubuntu2.1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.2.2-0ubuntu2.1",
            "binary_name": "rust-coreutils"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-35354.json"

Ubuntu:26.04:LTS / rust-coreutils

Package

Name: rust-coreutils
Purl: pkg:deb/ubuntu/rust-coreutils?arch=source&distro=resolute

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.2.2-0ubuntu2

0.2.2-0ubuntu4

0.5.0-0ubuntu1

0.5.0-0ubuntu2

0.6.0-0ubuntu1

0.7.0-0ubuntu1

0.8.0-0ubuntu3

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.8.0-0ubuntu3",
            "binary_name": "rust-coreutils"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-35354.json"