Linux Distros Unpatched Vulnerability : CVE-2026-5958

🗓️ 20 Apr 2026 00:00:00Reported by TenableType

Sed vulnerability CVE-2026-5958 allows arbitrary file overwrite via symlink race; fixed in sed 4.10.

Reporter	Title	Published	Views	Family All 45
ATTACKERKB	CVE-2026-5958	20 Apr 202611:59	–	attackerkb
CBLMariner	CVE-2026-5958 affecting package sed for versions less than 4.9-2	9 May 202603:31	–	cbl_mariner
Circl	CVE-2026-5958	20 Apr 202603:55	–	circl
CNNVD	GNU Sed 安全漏洞	20 Apr 202600:00	–	cnnvd
CVE	CVE-2026-5958	20 Apr 202611:59	–	cve
Cvelist	CVE-2026-5958 Race Condition in GNU Sed	20 Apr 202611:59	–	cvelist
Debian CVE	CVE-2026-5958	20 Apr 202611:59	–	debiancve
EUVD	EUVD-2026-23834	20 Apr 202612:32	–	euvd
Mageia	Updated sed packages fix security vulnerability	13 May 202607:00	–	mageia
Microsoft CVE	Race Condition in GNU Sed	22 Apr 202608:01	–	mscve

Source	Link
security-tracker	www.security-tracker.debian.org/tracker/CVE-2026-5958
ubuntu	www.ubuntu.com/security/CVE-2026-5958
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(307651);
  script_version("1.9");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/05/29");

  script_cve_id("CVE-2026-5958");

  script_name(english:"Linux Distros Unpatched Vulnerability : CVE-2026-5958");

  script_set_attribute(attribute:"synopsis", value:
"The Linux/Unix host has one or more packages installed with a vulnerability that the vendor indicates will not be
patched.");
  script_set_attribute(attribute:"description", value:
"The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied
patch available.

  - When sed is invoked with both -i (in-place edit) and --follow-symlinks, the function open_next_file()
    performs two separate, non-atomic filesystem operations on the same path: 1. resolves symlink to its
    target and stores the resolved path for determining when output is written, 2. opens the original symlink
    path (not the resolved one) to read the file. Between these two calls there is a race window. If an
    attacker atomically replaces the symlink with a different target during that window, sed will: read
    content from the new (attacker-chosen) symlink target and write the processed result to the path recorded
    in step 1. This can lead to arbitrary file overwrite with attacker-controlled content in the context of
    the sed process. This issue was fixed in version 4.10. (CVE-2026-5958)

Note that Nessus relies on the presence of the package as reported by the vendor.");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2026-5958");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/CVE-2026-5958");
  script_set_attribute(attribute:"solution", value:
"There is no known solution at this time.");
  script_set_attribute(attribute:"agent", value:"unix");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:U/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:U/RC:C");
  script_set_attribute(attribute:"cvss4_vector", value:"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N");
  script_set_attribute(attribute:"cvss4_threat_vector", value:"CVSS:4.0/E:U");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-5958");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/04/20");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/04/20");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:11.0");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:sed");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl", "set_linux_os_id.nasl");
  script_require_keys("Host/cpu", "Host/local_checks_enabled", "global_settings/vendor_unpatched", "Host/OS/identifier");
  script_require_ports("Host/OS/Debian Linux-11");

  exit(0);
}

if (!get_kb_item("global_settings/vendor_unpatched")) exit(0, "Unpatched Vulnerabilities Detection not active.");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (empty_or_null(get_one_kb_item("Host/Debian/dpkg-l"))) audit(AUDIT_PACKAGE_LIST_MISSING);

include('linux_unpatched.inc');

var distro_constraints_array = {
  "Debian Linux-11": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "11",
        "pkgs": [
          {"reference": "sed"}
        ]
      }
    ]
  }
};

var distro_constraints_values = linux_unpatched::get_distro_constraints(distro_constraints_arr:distro_constraints_array);
if (empty_or_null(distro_constraints_values)) audit(AUDIT_HOST_NOT, 'affected');
var report = linux_unpatched::check_unpatched_constraints(distro_constraints_values:distro_constraints_values);

if (!empty_or_null(report))
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_NOTE,
      extra      : report
  );
  exit(0);
}
else
{
  audit(AUDIT_HOST_NOT, 'affected');
}

29 May 2026 00:00Current

6Medium risk

Vulners AI Score6

CVSS 42.1

EPSS0.00006

SSVC