CVE-2026-35341
Published: 22 April 2026
Summary
CVE-2026-35341 is a high-severity Incorrect Permission Assignment for Critical Resource (CWE-732) vulnerability in Uutils Coreutils. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Linux and Mac Permissions (T1222.002); ranked at the 1.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-10 (Software Usage Restrictions) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, prioritization, and remediation of software flaws like the mkfifo permission modification vulnerability to prevent exploitation.
Restricts usage to approved software programs, prohibiting vulnerable implementations like uutils coreutils and its flawed mkfifo command.
Monitors and verifies the integrity of critical software and files, detecting unauthorized permission changes to sensitive resources such as SSH private keys.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability directly causes unintended modification of permissions on existing files (e.g., making SSH keys world-readable) via misuse of mkfifo, mapping to Linux file/directory permissions modification.
NVD Description
A vulnerability in uutils coreutils mkfifo allows for the unauthorized modification of permissions on existing files. When mkfifo fails to create a FIFO because a file already exists at the target path, it fails to terminate the operation for that…
more
path and continues to execute a follow-up set_permissions call. This results in the existing file's permissions being changed to the default mode (often 644 after umask), potentially exposing sensitive files such as SSH private keys to other users on the system.
Deeper analysisAI
CVE-2026-35341 is a vulnerability in the mkfifo command of uutils coreutils, a Rust-based reimplementation of GNU coreutils. The flaw occurs when mkfifo fails to create a FIFO because a file already exists at the target path; instead of terminating the operation, it proceeds with a follow-up set_permissions call. This unintentionally changes the permissions of the existing file to the default mode, often 644 after umask application. Sensitive files, such as SSH private keys, can thus be exposed if targeted.
According to its CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) and associated CWE-732 (Incorrect Permission Assignment for Critical Resource), the vulnerability enables local attackers with low privileges to exploit it. By running mkfifo on the path of an existing sensitive file, an attacker can alter its permissions, making the file readable by other system users and potentially leading to unauthorized disclosure of confidential information or integrity compromises.
Mitigation details and discussion of the issue, including potential patches, are available in the GitHub advisory at https://github.com/uutils/coreutils/issues/10020.
Details
- CWE(s)