CVE-2026-35362

Publication date 22 April 2026

Last updated 13 May 2026

Ubuntu priority

Medium

Why this priority?

Cvss 3 Severity Score

3.6 · Low

Score breakdown

Description

The safe_traversal module in uutils coreutils, which provides protection against Time-of-Check to Time-of-Use (TOCTOU) symlink races using file-descriptor-relative syscalls, is incorrectly limited to Linux targets. On other Unix-like systems such as macOS and FreeBSD, the utility fails to utilize these protections, leaving directory traversal operations vulnerable to symlink race conditions.

Status

Package Ubuntu Release Status
rust-coreutils 26.04 LTS resolute
Not affected
25.10 questing
Vulnerable
24.04 LTS noble
Vulnerable
22.04 LTS jammy Not in release

Severity score breakdown

CVSS version: CVSS v3.0

Base score 3.6 · Low

Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

References

Other references

Access our resources on patching vulnerabilities