CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-35361

lowCVSS 3.4covered by 1 sourcefirst seen 2026-07-06
uutils calls mknod *before* setting the SELinux context (GNU uses setfscreatecon first, labeling atomically). If set_selinux_security_context fails, cleanup uses std::fs::remove_dir, which cannot remove device nodes or FIFOs, leaving the mislabeled node behind. Impact: on SELinux-enforcing systems the node is created with the wrong context; the command reports failure but leaves a mislabeled device node that may bypass mandatory access control, and orphaned nodes can persist across reboots. Recommendation: use setfscreatecon before mknod, abort on failure, and use remove_file for cleanup. Remediation: Acknowledged by Canonical. _Reported by Zellic in the *uutils coreutils Program Security Assessment* (prepared for Canonical, Jan 20 2026), audited commit 3a07ffc5a9bd4c283e75afa548ba1f1957bad242. Finding 3.58. Credit: Zellic._

⚡ Watch CVE-2026-35361

Get an email if CVE-2026-35361 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-35361

CVE.org record

Embed the live status

CVE-2026-35361 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-35361 status](https://www.csirts.com/badge/CVE-2026-35361)](https://www.csirts.com/cve/CVE-2026-35361)