{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35342", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "state": "PUBLISHED", "assignerShortName": "canonical", "dateReserved": "2026-04-02T12:58:56.087Z", "datePublished": "2026-04-22T16:07:41.640Z", "dateUpdated": "2026-04-22T18:15:53.932Z"}, "containers": {"cna": {"title": "uutils coreutils mktemp Insecure Temporary File Placement via Empty TMPDIR", "affected": [{"vendor": "Uutils", "product": "coreutils", "platforms": ["Linux", "Unix", "macOS"], "collectionURL": "https://github.com/uutils", "packageName": "coreutils", "repo": "https://github.com/uutils/coreutils", "versions": [{"status": "affected", "lessThan": "0.6.0", "version": "0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-377", "description": "CWE-377: Insecure Temporary File", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-117", "descriptions": [{"lang": "en", "value": "CAPEC-117: Interception"}]}], "descriptions": [{"lang": "en", "value": "The mktemp utility in uutils coreutils fails to properly handle an empty TMPDIR environment variable. Unlike GNU mktemp, which falls back to /tmp when TMPDIR is an empty string, the uutils implementation treats the empty string as a valid path. This causes temporary files to be created in the current working directory (CWD) instead of the intended secure temporary directory. If the CWD is more permissive or accessible to other users than /tmp, it may lead to unintended information disclosure or unauthorized access to temporary data."}], "references": [{"url": "https://github.com/uutils/coreutils/pull/10566", "tags": ["patch", "issue-tracking"]}, {"url": "https://github.com/uutils/coreutils/releases/tag/0.6.0", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "LOW", "baseScore": 3.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}}], "credits": [{"lang": "en", "value": "Zellic", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-04-22T16:07:41.640Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T18:15:42.831357Z", "id": "CVE-2026-35342", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T18:15:53.932Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The mktemp utility in uutils coreutils fails to properly handle an empty TMPDIR environment variable. Unlike GNU mktemp, which falls back to /tmp when TMPDIR is an empty string, the uutils implementation treats the empty string as a valid path. This causes temporary files to be created in the current working directory (CWD) instead of the intended secure temporary directory. If the CWD is more permissive or accessible to other users than /tmp, it may lead to unintended information disclosure or unauthorized access to temporary data."}], "id": "CVE-2026-35342", "lastModified": "2026-04-22T17:16:36.217", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "security@ubuntu.com", "type": "Secondary"}]}, "published": "2026-04-22T17:16:36.217", "references": [{"source": "security@ubuntu.com", "url": "https://github.com/uutils/coreutils/pull/10566"}, {"source": "security@ubuntu.com", "url": "https://github.com/uutils/coreutils/releases/tag/0.6.0"}], "sourceIdentifier": "security@ubuntu.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-377"}], "source": "security@ubuntu.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T18:17:14.961265+00:00", "value": {"mitigation_remediation": ["Upgrade the uutils coreutils package to version 0.6.0 or later, which contains a fix that properly handles empty TMPDIR values.", "Configure TMPDIR to a secure, writable directory such as /tmp, and avoid leaving the variable empty; consider unsetting TMPDIR to trigger the fallback behavior.", "If upgrading is not yet possible, set TMPDIR explicitly at runtime or use a wrapper script to ensure temporary files are created in a safe directory."], "summary": {"action": "Apply Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the mktemp utility in the uutils coreutils collection. No specific version range is documented by the CNA, but the referenced release 0.6.0 includes the remediation. Administrators should target the uutils coreutils package when assessing deployments.", "description_and_impact": "The mktemp tool in the uutils coreutils suite incorrectly handles an empty TMPDIR environment variable. Unlike the GNU implementation that defaults to /tmp, the uutils version treats the empty string as a literal path and creates temporary files in the current working directory. Because the working directory may have more permissive permissions than the system temporary directory, the temporary data could become visible or editable by other users, leading to unintended information disclosure or unauthorized access.", "risk_and_exploitability": "The CVSS score is 3.3, indicating low overall impact. The EPSS score is unavailable and the vulnerability is not listed in the CISA KEV catalog, suggesting limited public exploitation. Because creating temporary files requires local user execution, the attack vector is most likely local. An attacker who can run mktemp or influence the TMPDIR environment could cause temporary files to be written to a directory with looser permissions, exposing or allowing modification of temporary data. The risk remains modest, but patching mitigates the potential for local information leakage."}}}}, "created": "2026-04-22T18:30:23.751393+00:00", "updated": "2026-04-22T18:30:23.751406+00:00", "vendors": []}