DEBIAN-CVE-2026-35376

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2026-35376

Import Source

https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-35376.json

JSON Data

https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2026-35376

Upstream

CVE-2026-35376

Published

2026-04-22T17:16:42.430Z

Modified

2026-06-15T19:06:25.725700618Z

Severity

5.8 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L CVSS Calculator

Summary

[none]

Details

A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the chcon utility of uutils coreutils during recursive operations. The implementation resolves recursive targets using a fresh path lookup (via fts_accpath) rather than binding the traversal and label application to the specific directory state encountered during traversal. Because these operations are not anchored to file descriptors, a local attacker with write access to a directory tree can exploit timing-sensitive rename or symbolic link races to redirect a privileged recursive relabeling operation to unintended files or directories. This vulnerability breaks the hardening expectations for SELinux administration workflows and can lead to the unauthorized modification of security labels on sensitive system objects.

References

https://security-tracker.debian.org/tracker/CVE-2026-35376

Affected packages

Debian:12 / rust-coreutils

Package

Name: rust-coreutils
Purl: pkg:deb/debian/rust-coreutils?arch=source&distro=bookworm

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.0.17-2

0.0.17-3

0.0.17-4

0.0.17-5

0.0.17-6

0.0.19-1

0.0.19-2

0.0.19-3

0.0.20-1

0.0.21-1

0.0.22-1

0.0.23-1

0.0.23-2

0.0.23-3

0.0.24-1

0.0.24-2

0.0.26-1

0.0.26-2

0.0.26-3

0.0.26-4

0.0.26-5

0.0.27-1

0.0.27-2

0.0.27-3

0.0.30-1

0.0.30-2

0.0.30-3~exp1

0.0.30-3

0.0.30-4

0.6.0-1

0.7.0-1

0.8.0-1

0.8.0-2

0.8.0-3

0.8.0-4

0.8.0-5

0.8.0-6

0.9.0-1

0.9.0-2

0.9.0-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-35376.json"

Debian:13 / rust-coreutils

Package

Name: rust-coreutils
Purl: pkg:deb/debian/rust-coreutils?arch=source&distro=trixie

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.0.30-2

0.0.30-3~exp1

0.0.30-3

0.0.30-4

0.6.0-1

0.7.0-1

0.8.0-1

0.8.0-2

0.8.0-3

0.8.0-4

0.8.0-5

0.8.0-6

0.9.0-1

0.9.0-2

0.9.0-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-35376.json"

Debian:14 / rust-coreutils

Package

Name: rust-coreutils
Purl: pkg:deb/debian/rust-coreutils?arch=source&distro=forky

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.0.30-2

0.0.30-3~exp1

0.0.30-3

0.0.30-4

0.6.0-1

0.7.0-1

0.8.0-1

0.8.0-2

0.8.0-3

0.8.0-4

0.8.0-5

0.8.0-6

0.9.0-1

0.9.0-2

0.9.0-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-35376.json"