CVE-2026-35361: Security Permission Bypass via Improper File Cleanup in uutils coreutils mknod
Vulnerability ID: CVE-2026-35361
CVSS Score: 3.4
Published: 2026-07-06
A security permission bypass vulnerability exists in the mknod utility of uutils coreutils on Linux systems utilizing SELinux. The utility fails to atomically assign SELinux security contexts during special file creation. When assignment fails, the program attempts cleanup using an incorrect file system API, which fails silently. This leaves mislabeled, orphaned special files on disk with potentially weaker default inherited permissions.
TL;DR
The mknod utility in uutils coreutils fails to clean up orphaned special files when SELinux labeling fails because it incorrectly attempts to delete them using rmdir instead of unlink. This leaves mislabeled device nodes or FIFOs on disk under default permissions, bypassing mandatory access controls.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-281, CWE-459
- Attack Vector: Local
- CVSS Score: 3.4
- EPSS Score: 0.00142 (0.142%)
- Exploit Status: Proof of Concept
- KEV Status: Not Listed
Affected Systems
- Linux systems utilizing SELinux where uutils coreutils mknod is installed
-
uutils coreutils: < 0.6.0 (Fixed in:
0.6.0)
Code Analysis
Commit: 42b2ad8
Fix cleanup failure in mknod when setting invalid SELinux context
Exploit Details
- GitHub: Reproduction test case inside the official pull request
Mitigation Strategies
- Upgrade to uutils coreutils version 0.6.0 or later to ensure proper cleanup of orphaned special files.
- Validate that newly created nodes do not exist on the filesystem if a mknod command fails when setting a custom context.
- Implement automated filesystem integrity and security context audits on sensitive device directories.
Remediation Steps:
- Identify installations of uutils coreutils older than version 0.6.0.
- Apply the update to version 0.6.0 or newer via the system package manager or Cargo compile.
- Deploy the configuration changes to active auditing tools (such as Auditd) to monitor for failed cleanup attempts.
- Verify the installation by running the validation test script to confirm proper cleanup of invalid contexts.
References
- GitHub Pull Request #10582
- GitHub Fix Commit
- uutils coreutils 0.6.0 Release Notes
- CVE Record for CVE-2026-35361
Read the full report for CVE-2026-35361 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)