Race Condition in Temporary File Handling
A non-atomic stat/unlink/fopen sequence on a fixed path in /var/tmp is exploitable via symlink substitution.
- CVE
- CVE-2026-6822, CVE-2026-6259
- Vendor
- Inhand Networks
- Product
- 5G Modem
Executive Summary
A targeted review of five candidate functions identified 1 confirmed vulnerability in open_ssl_error_file. The issue is a high-severity TOCTOU race condition on a fixed path in /var/tmp, enabling unsafe file writes via symlink substitution. While the vulnerable path is reachable from network-driven logic, practical exploitation requires a local race precondition (filesystem namespace control), so purely remote-only exploitation is not directly feasible.
Binary Profile
- Security Flags: PIE (absent), NX (absent), stack_canary (absent), RELRO (absent)
- Risk Level: High
Findings
1. TOCTOU Race on Fixed /var/tmp/https.error Path — High
- Function:
open_ssl_error_file@0x41bb58 - CWE: CWE-367 — Time-of-check Time-of-use (TOCTOU) Race Condition
- Category: other
- Reachability: reachable_from_network
Description
The function performs a non-atomic check-then-use sequence on the same pathname: stat("/var/tmp/https.error"), conditional unlink("/var/tmp/https.error"), then fopen("/var/tmp/https.error", "a+"). Because /var/tmp is attacker-writable, an attacker can swap the path to a symlink between these operations. This race can redirect file writes to an attacker-chosen target file.
Taint Chain
filesystem namespace control in /var/tmp before stat @ 0x41bb80 -> size check on stat result (var_74) @ 0x41bb90/0x41bb94 -> conditional unlink on same path @ 0x41bbcc -> fopen("/var/tmp/https.error", "a+") @ 0x41bba8
Mitigations
- Present: none
- Absent: O_NOFOLLOW, fd_post_open_fstat_validation, PIE, NX, stack_canary, RELRO