* Collin Funk <[email protected]>, 2026-05-01 18:49:
* CVE-2026-35352
We can see that uutils 'mkfifo' creates the fifo with world readable
and writable permissions and then uses chmod() which introduces a
TOCTOU race that can be exploited by another user creating a symbolic
link in it's place:
$ mkfifo --version
mkfifo (uutils coreutils) 0.8.0
$ strace mkfifo -m 700 /tmp/fifo
[...]
umask(000) = 002
umask(002) = 000
mknodat(AT_FDCWD, "/tmp/fifo", S_IFIFO|0666) = 0
chmod("/tmp/fifo", 0700) = 0
Creating the FIFO with default permission could allow other users to
open it before the chmod(..., 0700) call. This is indeed a
vulnerability, but unrelated to symlinks, and it's a different issue
than the one in the description of CVE-2026-35352:
A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the
mkfifo utility of uutils coreutils. The utility creates a FIFO and then
performs a path-based chmod to set permissions. A local attacker with
write access to the parent directory can swap the newly created FIFO
for a symbolic link between these two operations.
Note that this attack doesn't work in /tmp, because the sticky bit
prevents the attacker from deleting or renaming other users' files. The
victim would have to do something like "mkfifo /home/mallory/fifo". So,
uh, don't do that?
It's questionable if this is a vulnerability at all.
--
Jakub Wilk
