VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-4asg-vgfk-n7av

Essentials
Severities (16)
References (7)
Severity details (13)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-4asg-vgfk-n7av
Aliases	CVE-2026-35342 GHSA-2cxp-xq3c-mjxx
Summary	The mktemp utility in uutils coreutils fails to properly handle an empty TMPDIR environment variable. Unlike GNU mktemp, which falls back to /tmp when TMPDIR is an empty string, the uutils implementation treats the empty string as a valid path. This causes temporary files to be created in the current working directory (CWD) instead of the intended secure temporary directory. If the CWD is more permissive or accessible to other users than /tmp, it may lead to unintended information disclosure or unauthorized access to temporary data.
Status	Published
Exploitability	0.5
Weighted Severity	3.0
Risk	1.5
Affected and Fixed Packages	Package Details

Weaknesses (1)

CWE-377

Insecure Temporary File

System	Score	Found at
epss	0.00017	https://api.first.org/data/v1/epss?cve=CVE-2026-35342
epss	0.00017	https://api.first.org/data/v1/epss?cve=CVE-2026-35342
epss	0.00017	https://api.first.org/data/v1/epss?cve=CVE-2026-35342
cvssv3.1_qr	LOW	https://github.com/advisories/GHSA-2cxp-xq3c-mjxx
cvssv3.1	3.3	https://github.com/uutils/coreutils
generic_textual	LOW	https://github.com/uutils/coreutils
cvssv3.1	3.3	https://github.com/uutils/coreutils/commit/eb25ec328b226d8fbbaa4058bf9187165bf06d51
generic_textual	LOW	https://github.com/uutils/coreutils/commit/eb25ec328b226d8fbbaa4058bf9187165bf06d51
cvssv3.1	3.3	https://github.com/uutils/coreutils/pull/10566
generic_textual	LOW	https://github.com/uutils/coreutils/pull/10566
ssvc	Track	https://github.com/uutils/coreutils/pull/10566
cvssv3.1	3.3	https://github.com/uutils/coreutils/releases/tag/0.6.0
generic_textual	LOW	https://github.com/uutils/coreutils/releases/tag/0.6.0
ssvc	Track	https://github.com/uutils/coreutils/releases/tag/0.6.0
cvssv3.1	3.3	https://nvd.nist.gov/vuln/detail/CVE-2026-35342
generic_textual	LOW	https://nvd.nist.gov/vuln/detail/CVE-2026-35342

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2026-35342
		https://github.com/uutils/coreutils
		https://github.com/uutils/coreutils/commit/eb25ec328b226d8fbbaa4058bf9187165bf06d51
		https://nvd.nist.gov/vuln/detail/CVE-2026-35342
0.6.0		https://github.com/uutils/coreutils/releases/tag/0.6.0
10566		https://github.com/uutils/coreutils/pull/10566
GHSA-2cxp-xq3c-mjxx		https://github.com/advisories/GHSA-2cxp-xq3c-mjxx

No exploits are available.

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/uutils/coreutils

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/uutils/coreutils/commit/eb25ec328b226d8fbbaa4058bf9187165bf06d51

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/uutils/coreutils/pull/10566

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T18:15:42Z/ Found at https://github.com/uutils/coreutils/pull/10566

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/uutils/coreutils/releases/tag/0.6.0

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T18:15:42Z/ Found at https://github.com/uutils/coreutils/releases/tag/0.6.0

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-35342

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.0437
EPSS Score	0.00017
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-11T16:45:00.198729+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2026/35xxx/CVE-2026-35342.json	38.6.0