2460808 – (CVE-2026-35374) CVE-2026-35374 rust-coreutils: split: arbitrary file truncation via Time-of-Check to Time-of-Use (TOCTOU) race condition

Bug 2460808 (CVE-2026-35374) - CVE-2026-35374 rust-coreutils: split: arbitrary file truncation via Time-of-Check to Time-of-Use (TOCTOU) race condition

Summary: CVE-2026-35374 rust-coreutils: split: arbitrary file truncation via Time-of-C...

Keywords:
Status:	NEW
Alias:	CVE-2026-35374
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2461188 2461189
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-22 17:03 UTC by OSIDB Bzimport
Modified:	2026-04-24 19:04 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-22 17:03:53 UTC

A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the split utility of uutils coreutils. The program attempts to prevent data loss by checking for identity between input and output files using their file paths before initiating the split operation. However, the utility subsequently opens the output file with truncation after this path-based validation is complete. A local attacker with write access to the directory can exploit this race window by manipulating mutable path components (e.g., swapping a path with a symbolic link). This can cause split to truncate and write to an unintended target file, potentially including the input file itself or other sensitive files accessible to the process, leading to permanent data loss.

Note You need to log in before you can comment on or make changes to this bug.