The touch utility in uutils coreutils is vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition during file creation. When the utility identifies a missing path, it later attempts creation using File::create(), which internally uses O_TRUNC. An attacker can exploit this window to create a file or swap a symlink at the target path, causing touch to truncate an existing file and leading to permanent data loss.
The product checks the state of a resource before using that resource, but the resource’s state can change between the check and the use in a way that invalidates the results of the check.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Coreutils | Uutils | - (including) | - (including) |
| Rust-coreutils | Ubuntu | devel | * |
| Rust-coreutils | Ubuntu | esm-apps/noble | * |
| Rust-coreutils | Ubuntu | noble | * |
| Rust-coreutils | Ubuntu | questing | * |
| Rust-coreutils | Ubuntu | resolute | * |
| Rust-coreutils | Ubuntu | upstream | * |