CVE-2026-5958 GNU CVE debrief

Who should care

System administrators and developers using sed -i --follow-symlinks in automated scripts, particularly in multi-user environments or on filesystems where untrusted users can manipulate symlinks. Security teams assessing local privilege escalation risks in hardened environments.

Technical summary

The vulnerability stems from a time-of-check to time-of-use (TOCTOU) race condition in sed's open_next_file() function. When --follow-symlinks is used with -i, the code path: (1) calls realpath() or equivalent to resolve and store the symlink target, then (2) opens the original symlink path for reading. The window between resolution and open allows an attacker with appropriate filesystem permissions to replace the symlink via atomic rename operations. Successful exploitation results in content from an attacker-controlled file being processed and written to the attacker's chosen destination. The attack requires local filesystem access and winning a race condition, limiting practical exploitability.

Defensive priority

low

Recommended defensive actions

• Upgrade GNU sed to version 4.10 or later to eliminate the race condition vulnerability
• Avoid using sed with both -i and --follow-symlinks options on untrusted filesystem paths
• Implement filesystem access controls to restrict symlink manipulation in directories where sed operates
• Monitor for unexpected file modifications in environments where sed in-place editing is performed on symlinks
• Apply principle of least privilege to processes invoking sed with in-place editing capabilities

Evidence notes

The vulnerability description is sourced from NVD with additional context from CERT.PL advisory. The CVSS 4.0 vector indicates local attack vector, low attack complexity, and partial timing attack requirements. CWE-367 (Time-of-check Time-of-use Race Condition) is identified as the weakness type.

Official resources