DEBIAN-CVE-2026-35360
- Source
- https://security-tracker.debian.org/tracker/CVE-2026-35360
- Import Source
- https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-35360.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2026-35360
- Upstream
- Published
- 2026-04-23T00:03:05.421950Z
- Modified
- 2026-04-23T04:07:05.566398Z
- Summary
- [none]
- Details
-
The touch utility in uutils coreutils is vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition during file creation. When the utility identifies a missing path, it later attempts creation using File::create(), which internally uses O_TRUNC. An attacker can exploit this window to create a file or swap a symlink at the target path, causing touch to truncate an existing file and leading to permanent data loss.
- References
Affected packages
Debian:12 / rust-coreutils
Package
- Name
- rust-coreutils
- Purl
- pkg:deb/debian/rust-coreutils?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
0.*
0.0.17-2
0.0.17-3
0.0.17-4
0.0.17-5
0.0.17-6
0.0.19-1
0.0.19-2
0.0.19-3
0.0.20-1
0.0.21-1
0.0.22-1
0.0.23-1
0.0.23-2
0.0.23-3
0.0.24-1
0.0.24-2
0.0.26-1
0.0.26-2
0.0.26-3
0.0.26-4
0.0.26-5
0.0.27-1
0.0.27-2
0.0.27-3
0.0.30-1
0.0.30-2
0.0.30-3~exp1
0.0.30-3
0.0.30-4
0.6.0-1
0.7.0-1
Debian:13 / rust-coreutils
Package
- Name
- rust-coreutils
- Purl
- pkg:deb/debian/rust-coreutils?arch=source
Debian:14 / rust-coreutils
Package
- Name
- rust-coreutils
- Purl
- pkg:deb/debian/rust-coreutils?arch=source