{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/cpes/cpe2.3auutilscoreutils-rust/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:uutils:coreutils:-:*:*:*:*:rust:*:*"],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-35341"}],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["uu_mkfifo (\u003c 0.6.0)","uutils coreutils"],"_cs_severities":["high"],"_cs_tags":["vulnerability","linux","coreutils","permissions","information-disclosure","privilege-escalation"],"_cs_type":"threat","_cs_vendors":["uutils"],"content_html":"\u003cp\u003eA critical vulnerability (CVE-2026-35341) has been identified in \u003ccode\u003euu_mkfifo\u003c/code\u003e, a utility within \u003ccode\u003euutils coreutils\u003c/code\u003e, affecting all versions prior to 0.6.0. The flaw, reported by Zellic during a security assessment for Canonical, occurs when \u003ccode\u003emkfifo()\u003c/code\u003e is invoked on a path that already exists as a regular file. Instead of simply reporting an error and exiting, the \u003ccode\u003euu_mkfifo\u003c/code\u003e utility inadvertently proceeds to call \u003ccode\u003efs::set_permissions\u003c/code\u003e on the pre-existing file. This action modifies the file's permissions to the default FIFO mode (typically \u003ccode\u003e0644\u003c/code\u003e), effectively relaxing previously strict access controls. This vulnerability enables an attacker with local access to inadvertently or maliciously expose sensitive, owner-only files, such as SSH private keys, to other users on the system, leading to unauthorized information disclosure and potential privilege escalation. The issue has been acknowledged and a fix implemented in PR #10376.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains local access to a Linux system running an affected version of \u003ccode\u003euutils coreutils\u003c/code\u003e (\u003ccode\u003euu_mkfifo\u003c/code\u003e \u0026lt; 0.6.0).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a sensitive file with highly restricted permissions, such as an SSH private key (\u003ccode\u003e~/.ssh/id_rsa\u003c/code\u003e), which is typically set to \u003ccode\u003e0600\u003c/code\u003e or \u003ccode\u003e0400\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to create a FIFO (named pipe) using the vulnerable \u003ccode\u003euu_mkfifo\u003c/code\u003e utility, specifying the path of the sensitive file as the target (e.g., \u003ccode\u003euu_mkfifo ~/.ssh/id_rsa\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003emkfifo()\u003c/code\u003e system call invoked by \u003ccode\u003euu_mkfifo\u003c/code\u003e fails because a file with the specified name (\u003ccode\u003e~/.ssh/id_rsa\u003c/code\u003e) already exists.\u003c/li\u003e\n\u003cli\u003eDue to a logical error (missing \u003ccode\u003econtinue;\u003c/code\u003e statement after the error handling), \u003ccode\u003euu_mkfifo\u003c/code\u003e incorrectly proceeds to invoke \u003ccode\u003efs::set_permissions\u003c/code\u003e on the existing sensitive file.\u003c/li\u003e\n\u003cli\u003eThe file's permissions are subsequently changed from their strict original setting (e.g., \u003ccode\u003e0600\u003c/code\u003e) to the default FIFO creation permissions (e.g., \u003ccode\u003e0644\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe sensitive file, now with relaxed permissions, becomes readable by other unprivileged users on the system.\u003c/li\u003e\n\u003cli\u003eOther users or processes can now read the contents of the sensitive file (e.g., the SSH private key), leading to unauthorized information disclosure or further credential compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-35341 can lead to significant information disclosure and potential privilege escalation on affected Linux systems. An attacker, or even an unsuspecting user, can inadvertently relax file permissions on critical owner-only files, such as SSH private keys, API keys, or configuration files containing credentials. If these files are exposed, unauthorized users could read their contents, enabling lateral movement within the network, unauthorized access to systems, or further credential harvesting. While no specific victim count or targeted sectors have been reported for active exploitation, the coreutils package is fundamental, making a wide range of Linux environments potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch \u003ccode\u003euutils coreutils\u003c/code\u003e to version 0.6.0 or later to remediate CVE-2026-35341.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring (FIM) for sensitive files (e.g., SSH keys, \u003ccode\u003e/etc/shadow\u003c/code\u003e, API keys) to detect unexpected permission changes, which may be logged via \u003ccode\u003efile_event\u003c/code\u003e category logs.\u003c/li\u003e\n\u003cli\u003eReview process creation logs for \u003ccode\u003euu_mkfifo\u003c/code\u003e executions (\u003ccode\u003eprocess_creation\u003c/code\u003e category) targeting existing sensitive files and investigate any subsequent unauthorized permission modifications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-06T21:56:23Z","date_published":"2026-07-06T21:56:23Z","id":"https://feed.craftedsignal.io/briefs/2026-07-mkfifo-permission-relax/","summary":"A vulnerability (CVE-2026-35341) exists in the `uu_mkfifo` utility of `uutils coreutils`, affecting versions prior to 0.6.0. When `mkfifo()` fails because the target file already exists, the utility incorrectly proceeds to modify the permissions of the pre-existing file to `0644`. This can inadvertently relax permissions on sensitive owner-only files, such as SSH private keys, making them accessible to other users on the system and potentially enabling unauthorized access or information disclosure. The issue has been patched in PR #10376.","title":"mkfifo: permissions of an existing file are changed after FIFO creation fails","url":"https://feed.craftedsignal.io/briefs/2026-07-mkfifo-permission-relax/"}],"language":"en","title":"CraftedSignal Threat Feed - Cpe:2.3:a:uutils:coreutils:-:*:*:*:*:Rust:*:*","version":"https://jsonfeed.org/version/1.1"}