Nixpkgs security tracker

Login with GitHub

Suggestion detail

Untriaged

Permalink CVE-2026-35362

3.6 LOW

CVSS version: 3.1
Attack vector (AV): LOCAL
Attack complexity (AC): HIGH
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): LOW
Integrity impact (I): LOW
Availability impact (A): NONE

created 6 days, 11 hours ago Activity log

Created suggestion 6 days, 11 hours ago

uutils coreutils Missing TOCTOU Protection on Non-Linux Unix Platforms in Safe Traversal Module

The safe_traversal module in uutils coreutils, which provides protection against Time-of-Check to Time-of-Use (TOCTOU) symlink races using file-descriptor-relative syscalls, is incorrectly limited to Linux targets. On other Unix-like systems such as macOS and FreeBSD, the utility fails to utilize these protections, leaving directory traversal operations vulnerable to symlink race conditions.

References

https://github.com/uutils/coreutils/pull/9792 issue-trackingpatch
https://github.com/uutils/coreutils/releases/tag/0.6.0 vendor-advisory

Affected products

coreutils

<0.6.0

Matching in nixpkgs

pkgs.coreutils

GNU Core Utilities

nixos-unstable 9.10
- nixpkgs-unstable 9.10
- nixos-unstable-small 9.10
nixos-25.11 9.8
- nixos-25.11-small 9.8
- nixpkgs-25.11-darwin 9.8

pkgs.coreutils-full

GNU Core Utilities

nixos-unstable 9.10
- nixpkgs-unstable 9.10
- nixos-unstable-small 9.10
nixos-25.11 9.8
- nixos-25.11-small 9.8
- nixpkgs-25.11-darwin 9.8

pkgs.policycoreutils

SELinux policy core utilities

nixos-unstable 3.10
- nixpkgs-unstable 3.10
- nixos-unstable-small 3.10
nixos-25.11 3.8.1
- nixos-25.11-small 3.8.1
- nixpkgs-25.11-darwin 3.8.1

pkgs.uutils-coreutils

Cross-platform Rust rewrite of the GNU coreutils

nixos-unstable 0.8.0
- nixpkgs-unstable 0.8.0
- nixos-unstable-small 0.8.0
nixos-25.11 0.6.0
- nixos-25.11-small 0.6.0
- nixpkgs-25.11-darwin 0.6.0

pkgs.coreutils-prefixed

GNU Core Utilities

nixos-unstable 9.10
- nixpkgs-unstable 9.10
- nixos-unstable-small 9.10
nixos-25.11 9.8
- nixos-25.11-small 9.8
- nixpkgs-25.11-darwin 9.8

pkgs.uutils-coreutils-noprefix

Cross-platform Rust rewrite of the GNU coreutils

nixos-unstable 0.8.0
- nixpkgs-unstable 0.8.0
- nixos-unstable-small 0.8.0
nixos-25.11 0.6.0
- nixos-25.11-small 0.6.0
- nixpkgs-25.11-darwin 0.6.0

pkgs.minimal-bootstrap.coreutils

The GNU Core Utilities

nixos-unstable 5.0
- nixpkgs-unstable 5.0
- nixos-unstable-small 5.0

pkgs.selinuxPackages.policycoreutils

SELinux policy core utilities

nixos-unstable 3.10
- nixpkgs-unstable 3.10
- nixos-unstable-small 3.10

pkgs.minimal-bootstrap.coreutils-musl

The GNU Core Utilities

nixos-unstable 9.9
- nixpkgs-unstable 9.9
- nixos-unstable-small 9.9

pkgs.minimal-bootstrap.coreutils-static

The GNU Core Utilities

nixos-unstable 9.9
- nixpkgs-unstable 9.9
- nixos-unstable-small 9.9

Package maintainers

@dasJ Janne Heß <janne@hess.ooo>
@mdaniels5757 Michael Daniels <nix@mdaniels.me>
@infinisil Silvan Mosberger <contact@infinisil.com>
@pyrox0 Pyrox <pyrox@pyrox.dev>
@balsoft Alexander Bantyev <balsoft75@gmail.com>
@siraben Siraphob Phipathananunth <bensiraphob@gmail.com>
@Gskartwii Aleksi Hannula <ahannula4@gmail.com>
@06kellyjac Jack <hello+nixpkgs@j-k.io>
@emilytrau Emily Trau <emily+nix@downunderctf.com>
@Ericson2314 John Ericson <John.Ericson@Obsidian.Systems>
@Artturin Artturi N <artturin@artturin.com>
@alejandrosame Alejandro Sánchez Medina <alejandrosanchzmedina@gmail.com>
@RossComputerGuy Tristan Ross <tristan.ross@midstall.com>
@numinit Morgan Jones <me+nixpkgs@numin.it>
@matthiasbeyer Matthias Beyer <mail@beyermatthias.de>
@GaetanLepage Gaetan Lepage <gaetan@glepage.com>