Full Report
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability (CVE-2026-5958) has been found in GNU sed software.
Analysis Summary
# Vulnerability: GNU sed Time-of-check Time-of-use (TOCTOU) Race Condition
## CVE Details
- **CVE ID**: CVE-2026-5958
- **CVSS Score**: Not explicitly provided in the article (typically High for arbitrary file overwrites)
- **CWE**: CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
## Affected Systems
- **Products**: GNU sed
- **Versions**: From version 4.1e to versions prior to 4.10.
- **Configurations**: The vulnerability is triggered when sed is invoked using both the `-i` (in-place edit) and `--follow-symlinks` flags simultaneously.
## Vulnerability Description
The flaw exists within the `open_next_file()` function. When processing files, the software performs two non-atomic filesystem operations:
1. It resolves a symlink to its target and stores that destination path to determine where the final output should be written.
2. It opens the original symlink path to read the input data.
A "race window" exists between these two operations. An attacker can use this window to atomically replace the symlink with a different target. Consequently, sed reads content from the attacker’s new target but writes the processed output to the path resolved in the first step.
## Exploitation
- **Status**: Discovered via responsible disclosure; no mention of active exploitation in the wild.
- **Complexity**: High (Requires precise timing to win the race condition during the filesystem operations).
- **Attack Vector**: Local (The attacker must have the ability to modify symlinks on the local filesystem where sed is operating).
## Impact
- **Confidentiality**: Low/Medium (Attacker may cause sed to read files they shouldn't normally process).
- **Integrity**: High (Allows for arbitrary file overwrite with attacker-controlled content).
- **Availability**: Medium (Overwriting critical system or application files can lead to service disruption).
## Remediation
### Patches
- **GNU sed 4.10**: This version contains the official fix for the vulnerability. Users are urged to upgrade to this version or newer.
### Workarounds
- Avoid using the `--follow-symlinks` flag in conjunction with `-i` (in-place) editing when processing files in directories where untrusted users have write permissions.
## Detection
- **Indicators of compromise**: Rapid, automated symlink changes in directories where administrative scripts run `sed`.
- **Detection methods and tools**: File Integrity Monitoring (FIM) tools can be used to monitor for unexpected writes to sensitive files by the `sed` process. Auditd (Linux Audit Daemon) can be configured to track `symlink` and `rename` syscalls in temporary or shared directories.
## References
- **Vendor Advisory**: hxxps://www.cve.org/CVERecord?id=CVE-2026-5958
- **CERT Polska Advisory**: hxxps://cert.pl/en/posts/2024/04/vulnerability-in-gnu-sed/ (Based on the provided report date).
- **CWE Definition**: hxxps://cwe.mitre.org/data/definitions/367.html