VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-868e-a9h5-vuc7

Essentials
Severities (16)
References (7)
Severity details (13)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-868e-a9h5-vuc7
Aliases	CVE-2026-35353 GHSA-vf87-345h-9qhx
Summary	The mkdir utility in uutils coreutils incorrectly applies permissions when using the -m flag by creating a directory with umask-derived permissions (typically 0755) before subsequently changing them to the requested mode via a separate chmod system call. In multi-user environments, this introduces a brief window where a directory intended to be private is accessible to other users, potentially leading to unauthorized data access.
Status	Published
Exploitability	0.5
Weighted Severity	3.0
Risk	1.5
Affected and Fixed Packages	Package Details

Weaknesses (1)

CWE-367

Time-of-check Time-of-use (TOCTOU) Race Condition

System	Score	Found at
epss	0.00012	https://api.first.org/data/v1/epss?cve=CVE-2026-35353
epss	0.00012	https://api.first.org/data/v1/epss?cve=CVE-2026-35353
epss	0.00012	https://api.first.org/data/v1/epss?cve=CVE-2026-35353
cvssv3.1_qr	LOW	https://github.com/advisories/GHSA-vf87-345h-9qhx
cvssv3.1	3.3	https://github.com/uutils/coreutils
generic_textual	LOW	https://github.com/uutils/coreutils
cvssv3.1	3.3	https://github.com/uutils/coreutils/commit/037b9583bc03d814e8516df54ebcda6f681fe1f8
generic_textual	LOW	https://github.com/uutils/coreutils/commit/037b9583bc03d814e8516df54ebcda6f681fe1f8
cvssv3.1	3.3	https://github.com/uutils/coreutils/pull/10036
generic_textual	LOW	https://github.com/uutils/coreutils/pull/10036
ssvc	Track	https://github.com/uutils/coreutils/pull/10036
cvssv3.1	3.3	https://github.com/uutils/coreutils/releases/tag/0.6.0
generic_textual	LOW	https://github.com/uutils/coreutils/releases/tag/0.6.0
ssvc	Track	https://github.com/uutils/coreutils/releases/tag/0.6.0
cvssv3.1	3.3	https://nvd.nist.gov/vuln/detail/CVE-2026-35353
generic_textual	LOW	https://nvd.nist.gov/vuln/detail/CVE-2026-35353

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2026-35353
		https://github.com/uutils/coreutils
		https://github.com/uutils/coreutils/commit/037b9583bc03d814e8516df54ebcda6f681fe1f8
		https://nvd.nist.gov/vuln/detail/CVE-2026-35353
0.6.0		https://github.com/uutils/coreutils/releases/tag/0.6.0
10036		https://github.com/uutils/coreutils/pull/10036
GHSA-vf87-345h-9qhx		https://github.com/advisories/GHSA-vf87-345h-9qhx

No exploits are available.

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/uutils/coreutils

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/uutils/coreutils/commit/037b9583bc03d814e8516df54ebcda6f681fe1f8

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/uutils/coreutils/pull/10036

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T17:40:48Z/ Found at https://github.com/uutils/coreutils/pull/10036

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/uutils/coreutils/releases/tag/0.6.0

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T17:40:48Z/ Found at https://github.com/uutils/coreutils/releases/tag/0.6.0

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-35353

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.01779
EPSS Score	0.00012
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-11T16:44:55.147546+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2026/35xxx/CVE-2026-35353.json	38.6.0