2460771 – (CVE-2026-35361) CVE-2026-35361 rust-coreutils: mknod: security label inconsistency and broken cleanup on SELinux systems

Bug 2460771 (CVE-2026-35361) - CVE-2026-35361 rust-coreutils: mknod: security label inconsistency and broken cleanup on SELinux systems

Summary: CVE-2026-35361 rust-coreutils: mknod: security label inconsistency and broken...

Keywords:
Status:	NEW
Alias:	CVE-2026-35361
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2461176 2461177
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-22 17:01 UTC by OSIDB Bzimport
Modified:	2026-04-24 19:01 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-22 17:01:47 UTC

The mknod utility in uutils coreutils fails to handle security labels atomically by creating device nodes before setting the SELinux context. If labeling fails, the utility attempts cleanup using std::fs::remove_dir, which cannot remove device nodes or FIFOs. This leaves mislabeled nodes behind with incorrect default contexts, potentially allowing unauthorized access to device nodes that should have been restricted by mandatory access controls.

Note You need to log in before you can comment on or make changes to this bug.