I wish they'd put the severity. There are 4 highs, the rest are medium or low. Here are the high ones:
https://www.cve.org/CVERecord?id=CVE-2026-35338 - `chmod --preserve-root` can be bypassed. That doesn't seem that bad tbh.
https://www.cve.org/CVERecord?id=CVE-2026-35341 - `mkfifo` accidentally resets the permissions of files that already exist, so if you manage to do `sudo mkfifo /etc/shadow` then it becomes world readable.
https://www.cve.org/CVERecord?id=CVE-2026-35352 - TOCTOU in `mkfifo` lets you do the symlink trick to get it to change permissions on an unrelated file.
https://www.cve.org/CVERecord?id=CVE-2026-35368 - You might be able to get chroot to execute arbitrary code.
Tbh I doubt if any of these would ever result in a real hack, unless your system is doing really mental things like running shell scripts with untrusted input.
I could only find a couple of CVEs that looked actually serious for GNU Coreutils too though. IMO if you're using these tools with untrusted input your system is janky enough that there are going to be serious flaws in it anyway. Probably though quoting mistakes.
I clicked a random one: https://www.cve.org/CVERecord?id=CVE-2026-35344
Quote from the CVE description: "The dd utility in uutils coreutils suppresses errors during file truncation [...] This can lead to silent data corruption in backup or migration scripts, as the utility may report a successful operation even when the destination file contains old or garbage data."
That's terrifying. There's more to bugs than security bugs. You'd expect coreutils to be as bug-free as possible.
Well the TOCTOU issues do not require you to run untrusted scripts to be exploited. Another user on your system can use a legitimate command that you may run to make changes to files they shouldn’t be able to, or further escalate privileges.
Fair point. Though tbh I still think the user-isolation security for Linux is only really suited for the University/company threat model, where you generally trust users not to actually use exploits because they would get expelled/fired.
If you allow a completely untrusted user onto your system I think your chances of staying secure are low.
Then why rewrite coreutils in rust? TOCTOU isn't exact some new concept. Neither are https://owasp.org/Top10/2025/ (most of which a good web framework will prevent or migrate), and switching to rust (which as far as I know) won't bring you a safer web framework like django or rails.