CVE-2026-5958

EUVD-2026-23834

20.04.2026, 12:16

When sed is invoked with both -i (in-place edit) and --follow-symlinks, the function open_next_file() performs two separate, non-atomic filesystem operations on the same path:
1. resolves symlink to its target and stores the resolved path for determining when output is written,
2. opens the original symlink path (not the resolved one) to read the file.
Between these two calls there is a race window. If an attacker atomically replaces the symlink with a different target during that window, sed will: read content from the new (attacker-chosen) symlink target and write the processed result to the path recorded in step 1. This can lead to arbitrary file overwrite with attacker-controlled content in the context of the sed process.

This issue was fixed in version 4.10.

TOCTOU

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
CERT-PL	CNA	2.1 LOW	LOCAL	LOW	NONE	CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
gnu	sed	4.1e ≤ 𝑥 < 4.10	CNA

Debian Releases

Debian Product

Codename

sed

bookworm	vulnerable
bullseye	vulnerable
forky	vulnerable
sid	vulnerable
trixie	vulnerable

Common Weakness Enumeration

CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
The software checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the software to perform invalid actions when the resource is in an unexpected state.

References

https://cert.pl/en/posts/2026/04/CVE-2026-5958

https://www.gnu.org/software/sed/