CVE-2026-5958

EUVD-2026-23834
When sed is invoked with both -i (in-place edit) and --follow-symlinks, the function open_next_file() performs two separate, non-atomic filesystem operations on the same path: 
1. resolves symlink to its target and stores the resolved path for determining when output is written,
2. opens the original symlink path (not the resolved one) to read the file. 
Between these two calls there is a race window. If an attacker atomically replaces the symlink with a different target during that window, sed will: read content from the new (attacker-chosen) symlink target and write the processed result to the path recorded in step 1. This can lead to arbitrary file overwrite with attacker-controlled content in the context of the sed process.


This issue was fixed in version 4.10.
TOCTOU
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
CERT-PLCNA
2.1 LOW
LOCAL
LOW
NONE
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
gnused
4.1e ≤
𝑥
< 4.10
CNA
Debian logo
Debian Releases
Debian Product
Codename
sed
bookworm
4.9-1+deb12u1
fixed
bullseye
postponed
forky
4.9-3
fixed
sid
4.9-3
fixed
trixie
4.9-2+deb13u1
fixed
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
sed
suse enterprise desktop 15 SP7
4.9-150600.3.3.1
fixed
suse enterprise sap 15 SP7
4.9-150600.3.3.1
fixed
suse enterprise server 15 SP4
4.4-150300.13.6.1
fixed
suse enterprise server 15 SP7
4.9-150600.3.3.1
fixed
sed-lang
suse enterprise desktop 15 SP7
4.9-150600.3.3.1
fixed
suse enterprise sap 15 SP7
4.9-150600.3.3.1
fixed
suse enterprise server 15 SP4
4.4-150300.13.6.1
fixed
suse enterprise server 15 SP7
4.9-150600.3.3.1
fixed
Common Weakness Enumeration
References
https://cert.pl/en/posts/2026/04/CVE-2026-5958
https://www.gnu.org/software/sed/
http://www.openwall.com/lists/oss-security/2026/05/13/1