Duplicate Advisory: uutils coreutils has a Time-of-check Time-of-use (TOCTOU) Race Condition
Low severity
GitHub Reviewed
Published
Apr 22, 2026
to the GitHub Advisory Database
•
Updated Jul 6, 2026
Withdrawn
This advisory was withdrawn on Jul 6, 2026
Description
Published by the National Vulnerability Database
Apr 22, 2026
Published to the GitHub Advisory Database
Apr 22, 2026
Reviewed
Apr 29, 2026
Last updated
Jul 6, 2026
Withdrawn
Jul 6, 2026
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-mj6p-44ch-cq69. This link is maintained to preserve external references.
Original Description
The mkdir utility in uutils coreutils incorrectly applies permissions when using the -m flag by creating a directory with umask-derived permissions (typically 0755) before subsequently changing them to the requested mode via a separate chmod system call. In multi-user environments, this introduces a brief window where a directory intended to be private is accessible to other users, potentially leading to unauthorized data access.
References