mkfifo: permissions of an existing file are changed after FIFO creation fails
A vulnerability (CVE-2026-35341) exists in the `uu_mkfifo` utility of `uutils coreutils`, affecting versions prior to 0.6.0. When `mkfifo()` fails because the target file already exists, the utility incorrectly proceeds to modify the permissions of the pre-existing file to `0644`. This can inadvertently relax permissions on sensitive owner-only files, such as SSH private keys, making them accessible to other users on the system and potentially enabling unauthorized access or information disclosure. The issue has been patched in PR #10376.
A critical vulnerability (CVE-2026-35341) has been identified in uu_mkfifo, a utility within uutils coreutils, affecting all versions prior to 0.6.0. The flaw, reported by Zellic during a security assessment for Canonical, occurs when mkfifo() is invoked on a path that already exists as a regular file. Instead of simply reporting an error and exiting, the uu_mkfifo utility inadvertently proceeds to call fs::set_permissions on the pre-existing file. This action modifies the file's permissions to the default FIFO mode (typically 0644), effectively relaxing previously strict access controls. This vulnerability enables an attacker with local access to inadvertently or maliciously expose sensitive, owner-only files, such as SSH private keys, to other users on the system, leading to unauthorized information disclosure and potential privilege escalation. The issue has been acknowledged and a fix implemented in PR #10376.
Attack Chain
- An attacker gains local access to a Linux system running an affected version of
uutils coreutils(uu_mkfifo< 0.6.0). - The attacker identifies a sensitive file with highly restricted permissions, such as an SSH private key (
~/.ssh/id_rsa), which is typically set to0600or0400. - The attacker attempts to create a FIFO (named pipe) using the vulnerable
uu_mkfifoutility, specifying the path of the sensitive file as the target (e.g.,uu_mkfifo ~/.ssh/id_rsa). - The
mkfifo()system call invoked byuu_mkfifofails because a file with the specified name (~/.ssh/id_rsa) already exists. - Due to a logical error (missing
continue;statement after the error handling),uu_mkfifoincorrectly proceeds to invokefs::set_permissionson the existing sensitive file. - The file's permissions are subsequently changed from their strict original setting (e.g.,
0600) to the default FIFO creation permissions (e.g.,0644). - The sensitive file, now with relaxed permissions, becomes readable by other unprivileged users on the system.
- Other users or processes can now read the contents of the sensitive file (e.g., the SSH private key), leading to unauthorized information disclosure or further credential compromise.
Impact
The successful exploitation of CVE-2026-35341 can lead to significant information disclosure and potential privilege escalation on affected Linux systems. An attacker, or even an unsuspecting user, can inadvertently relax file permissions on critical owner-only files, such as SSH private keys, API keys, or configuration files containing credentials. If these files are exposed, unauthorized users could read their contents, enabling lateral movement within the network, unauthorized access to systems, or further credential harvesting. While no specific victim count or targeted sectors have been reported for active exploitation, the coreutils package is fundamental, making a wide range of Linux environments potentially vulnerable.
Recommendation
- Immediately patch
uutils coreutilsto version 0.6.0 or later to remediate CVE-2026-35341. - Implement file integrity monitoring (FIM) for sensitive files (e.g., SSH keys,
/etc/shadow, API keys) to detect unexpected permission changes, which may be logged viafile_eventcategory logs. - Review process creation logs for
uu_mkfifoexecutions (process_creationcategory) targeting existing sensitive files and investigate any subsequent unauthorized permission modifications.