Nixpkgs security tracker

Login with GitHub

Suggestion detail

Untriaged

Permalink CVE-2026-35364

6.3 MEDIUM

CVSS version: 3.1
Attack vector (AV): LOCAL
Attack complexity (AC): HIGH
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 6 days, 11 hours ago Activity log

Created suggestion 6 days, 11 hours ago

uutils coreutils mv Arbitrary File Overwrite via Cross-Device TOCTOU Race Condition

A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mv utility of uutils coreutils during cross-device operations. The utility removes the destination path before recreating it through a copy operation. A local attacker with write access to the destination directory can exploit this window to replace the destination with a symbolic link. The subsequent privileged move operation will follow the symlink, allowing the attacker to redirect the write and overwrite an arbitrary target file with contents from the source.

References

https://github.com/uutils/coreutils/issues/10015 exploitissue-tracking

Affected products

coreutils

Matching in nixpkgs

pkgs.coreutils

GNU Core Utilities

nixos-unstable 9.10
- nixpkgs-unstable 9.10
- nixos-unstable-small 9.10
nixos-25.11 9.8
- nixos-25.11-small 9.8
- nixpkgs-25.11-darwin 9.8

pkgs.coreutils-full

GNU Core Utilities

nixos-unstable 9.10
- nixpkgs-unstable 9.10
- nixos-unstable-small 9.10
nixos-25.11 9.8
- nixos-25.11-small 9.8
- nixpkgs-25.11-darwin 9.8

pkgs.policycoreutils

SELinux policy core utilities

nixos-unstable 3.10
- nixpkgs-unstable 3.10
- nixos-unstable-small 3.10
nixos-25.11 3.8.1
- nixos-25.11-small 3.8.1
- nixpkgs-25.11-darwin 3.8.1

pkgs.uutils-coreutils

Cross-platform Rust rewrite of the GNU coreutils

nixos-unstable 0.8.0
- nixpkgs-unstable 0.8.0
- nixos-unstable-small 0.8.0
nixos-25.11 0.6.0
- nixos-25.11-small 0.6.0
- nixpkgs-25.11-darwin 0.6.0

pkgs.coreutils-prefixed

GNU Core Utilities

nixos-unstable 9.10
- nixpkgs-unstable 9.10
- nixos-unstable-small 9.10
nixos-25.11 9.8
- nixos-25.11-small 9.8
- nixpkgs-25.11-darwin 9.8

pkgs.uutils-coreutils-noprefix

Cross-platform Rust rewrite of the GNU coreutils

nixos-unstable 0.8.0
- nixpkgs-unstable 0.8.0
- nixos-unstable-small 0.8.0
nixos-25.11 0.6.0
- nixos-25.11-small 0.6.0
- nixpkgs-25.11-darwin 0.6.0

pkgs.minimal-bootstrap.coreutils

The GNU Core Utilities

nixos-unstable 5.0
- nixpkgs-unstable 5.0
- nixos-unstable-small 5.0

pkgs.selinuxPackages.policycoreutils

SELinux policy core utilities

nixos-unstable 3.10
- nixpkgs-unstable 3.10
- nixos-unstable-small 3.10

pkgs.minimal-bootstrap.coreutils-musl

The GNU Core Utilities

nixos-unstable 9.9
- nixpkgs-unstable 9.9
- nixos-unstable-small 9.9

pkgs.minimal-bootstrap.coreutils-static

The GNU Core Utilities

nixos-unstable 9.9
- nixpkgs-unstable 9.9
- nixos-unstable-small 9.9

Package maintainers

@dasJ Janne Heß <janne@hess.ooo>
@mdaniels5757 Michael Daniels <nix@mdaniels.me>
@infinisil Silvan Mosberger <contact@infinisil.com>
@pyrox0 Pyrox <pyrox@pyrox.dev>
@balsoft Alexander Bantyev <balsoft75@gmail.com>
@siraben Siraphob Phipathananunth <bensiraphob@gmail.com>
@Gskartwii Aleksi Hannula <ahannula4@gmail.com>
@06kellyjac Jack <hello+nixpkgs@j-k.io>
@emilytrau Emily Trau <emily+nix@downunderctf.com>
@Ericson2314 John Ericson <John.Ericson@Obsidian.Systems>
@Artturin Artturi N <artturin@artturin.com>
@alejandrosame Alejandro Sánchez Medina <alejandrosanchzmedina@gmail.com>
@RossComputerGuy Tristan Ross <tristan.ross@midstall.com>
@numinit Morgan Jones <me+nixpkgs@numin.it>
@matthiasbeyer Matthias Beyer <mail@beyermatthias.de>
@GaetanLepage Gaetan Lepage <gaetan@glepage.com>