CVE-2026-5958 (GCVE-0-2026-5958)
Vulnerability from cvelistv5
Published
2026-04-20 11:59
Modified
2026-04-20 13:25
Severity ?
2.1 (Low) - CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
CWE
  • CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
Summary
When sed is invoked with both -i (in-place edit) and --follow-symlinks, the function open_next_file() performs two separate, non-atomic filesystem operations on the same path: 1. resolves symlink to its target and stores the resolved path for determining when output is written, 2. opens the original symlink path (not the resolved one) to read the file. Between these two calls there is a race window. If an attacker atomically replaces the symlink with a different target during that window, sed will: read content from the new (attacker-chosen) symlink target and write the processed result to the path recorded in step 1. This can lead to arbitrary file overwrite with attacker-controlled content in the context of the sed process. This issue was fixed in version 4.10.
References
Impacted products
Vendor Product Version
GNU Sed Version: 4.1e   < 4.10
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-5958",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-20T13:25:51.313140Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-20T13:25:59.530Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Sed",
          "repo": "https://gitweb.git.savannah.gnu.org/gitweb/?p=sed.git",
          "vendor": "GNU",
          "versions": [
            {
              "lessThan": "4.10",
              "status": "affected",
              "version": "4.1e",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Micha\u0142 Majchrowicz (AFINE Team)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Marcin Wyczechowski (AFINE Team)"
        }
      ],
      "datePublic": "2026-04-20T12:03:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "When sed is invoked with both -i (in-place edit) and --follow-symlinks, the function open_next_file() performs two separate, non-atomic filesystem operations on the same path: \u003cbr\u003e1. resolves symlink to its target and stores\u0026nbsp;the resolved path for determining when output is written,\u003cbr\u003e2. opens the original symlink path\u0026nbsp;(not the resolved one) to read the file. \u003cbr\u003eBetween these two calls there is a race window. If an attacker atomically replaces the symlink with a different target during that window, sed will: read content from the new (attacker-chosen) symlink target and write the processed result to the path recorded in step 1.\u0026nbsp;This can lead to arbitrary file overwrite with attacker-controlled content in the context of the sed process.\u003cbr\u003e\u003cbr\u003e\u003cbr\u003eThis issue was fixed in version 4.10."
            }
          ],
          "value": "When sed is invoked with both -i (in-place edit) and --follow-symlinks, the function open_next_file() performs two separate, non-atomic filesystem operations on the same path: \n1. resolves symlink to its target and stores\u00a0the resolved path for determining when output is written,\n2. opens the original symlink path\u00a0(not the resolved one) to read the file. \nBetween these two calls there is a race window. If an attacker atomically replaces the symlink with a different target during that window, sed will: read content from the new (attacker-chosen) symlink target and write the processed result to the path recorded in step 1.\u00a0This can lead to arbitrary file overwrite with attacker-controlled content in the context of the sed process.\n\n\nThis issue was fixed in version 4.10."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-29",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-29 Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "LOCAL",
            "baseScore": 2.1,
            "baseSeverity": "LOW",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-367",
              "description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-20T12:05:22.221Z",
        "orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
        "shortName": "CERT-PL"
      },
      "references": [
        {
          "tags": [
            "product"
          ],
          "url": "https://www.gnu.org/software/sed/"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://cert.pl/en/posts/2026/04/CVE-2026-5958"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "tags": [
        "x_open-source"
      ],
      "title": "Race Condition in GNU Sed",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
    "assignerShortName": "CERT-PL",
    "cveId": "CVE-2026-5958",
    "datePublished": "2026-04-20T11:59:32.214Z",
    "dateReserved": "2026-04-09T09:42:24.687Z",
    "dateUpdated": "2026-04-20T13:25:59.530Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-5958\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-20T13:25:51.313140Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-20T13:25:56.168Z\"}}], \"cna\": {\"tags\": [\"x_open-source\"], \"title\": \"Race Condition in GNU Sed\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Micha\\u0142 Majchrowicz (AFINE Team)\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Marcin Wyczechowski (AFINE Team)\"}], \"impacts\": [{\"capecId\": \"CAPEC-29\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-29 Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 2.1, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"LOCAL\", \"baseSeverity\": \"LOW\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://gitweb.git.savannah.gnu.org/gitweb/?p=sed.git\", \"vendor\": \"GNU\", \"product\": \"Sed\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.1e\", \"lessThan\": \"4.10\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2026-04-20T12:03:00.000Z\", \"references\": [{\"url\": \"https://www.gnu.org/software/sed/\", \"tags\": [\"product\"]}, {\"url\": \"https://cert.pl/en/posts/2026/04/CVE-2026-5958\", \"tags\": [\"third-party-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"When sed is invoked with both -i (in-place edit) and --follow-symlinks, the function open_next_file() performs two separate, non-atomic filesystem operations on the same path: \\n1. resolves symlink to its target and stores\\u00a0the resolved path for determining when output is written,\\n2. opens the original symlink path\\u00a0(not the resolved one) to read the file. \\nBetween these two calls there is a race window. If an attacker atomically replaces the symlink with a different target during that window, sed will: read content from the new (attacker-chosen) symlink target and write the processed result to the path recorded in step 1.\\u00a0This can lead to arbitrary file overwrite with attacker-controlled content in the context of the sed process.\\n\\n\\nThis issue was fixed in version 4.10.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"When sed is invoked with both -i (in-place edit) and --follow-symlinks, the function open_next_file() performs two separate, non-atomic filesystem operations on the same path: \u003cbr\u003e1. resolves symlink to its target and stores\u0026nbsp;the resolved path for determining when output is written,\u003cbr\u003e2. opens the original symlink path\u0026nbsp;(not the resolved one) to read the file. \u003cbr\u003eBetween these two calls there is a race window. If an attacker atomically replaces the symlink with a different target during that window, sed will: read content from the new (attacker-chosen) symlink target and write the processed result to the path recorded in step 1.\u0026nbsp;This can lead to arbitrary file overwrite with attacker-controlled content in the context of the sed process.\u003cbr\u003e\u003cbr\u003e\u003cbr\u003eThis issue was fixed in version 4.10.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-367\", \"description\": \"CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition\"}]}], \"providerMetadata\": {\"orgId\": \"4bb8329e-dd38-46c1-aafb-9bf32bcb93c6\", \"shortName\": \"CERT-PL\", \"dateUpdated\": \"2026-04-20T12:05:22.221Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-5958\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-20T13:25:59.530Z\", \"dateReserved\": \"2026-04-09T09:42:24.687Z\", \"assignerOrgId\": \"4bb8329e-dd38-46c1-aafb-9bf32bcb93c6\", \"datePublished\": \"2026-04-20T11:59:32.214Z\", \"assignerShortName\": \"CERT-PL\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.