Duplicate Advisory: uutils coreutils' mktemp utility doesn't properly handle an empty TMPDIR environment variable
Low severity
GitHub Reviewed
Published
Apr 22, 2026
to the GitHub Advisory Database
•
Updated Jul 6, 2026
Withdrawn
This advisory was withdrawn on Jul 6, 2026
Description
Published by the National Vulnerability Database
Apr 22, 2026
Published to the GitHub Advisory Database
Apr 22, 2026
Reviewed
Apr 29, 2026
Withdrawn
Jul 6, 2026
Last updated
Jul 6, 2026
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-2w8r-9xj7-69j5. This link is maintained to preserve external references.
Original Description
The mktemp utility in uutils coreutils fails to properly handle an empty TMPDIR environment variable. Unlike GNU mktemp, which falls back to /tmp when TMPDIR is an empty string, the uutils implementation treats the empty string as a valid path. This causes temporary files to be created in the current working directory (CWD) instead of the intended secure temporary directory. If the CWD is more permissive or accessible to other users than /tmp, it may lead to unintended information disclosure or unauthorized access to temporary data.
References