CVE-2026-5958

Publication date 19 April 2026

Last updated 6 June 2026

Ubuntu priority

Description

When sed is invoked with both -i (in-place edit) and --follow-symlinks, the function open_next_file() performs two separate, non-atomic filesystem operations on the same path: 1. resolves symlink to its target and stores the resolved path for determining when output is written, 2. opens the original symlink path (not the resolved one) to read the file. Between these two calls there is a race window. If an attacker atomically replaces the symlink with a different target during that window, sed will: read content from the new (attacker-chosen) symlink target and write the processed result to the path recorded in step 1. This can lead to arbitrary file overwrite with attacker-controlled content in the context of the sed process. This issue was fixed in version 4.10.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
sed	26.04 LTS resolute	Fixed 4.9-2ubuntu1
	25.10 questing	Fixed 4.9-2ubuntu0.25.10.1
	24.04 LTS noble	Fixed 4.9-2ubuntu0.24.04.1
	22.04 LTS jammy	Fixed 4.8-1ubuntu2.1
	20.04 LTS focal	Fixed 4.7-1ubuntu0.1~esm1
	18.04 LTS bionic	Fixed 4.4-2ubuntu0.1~esm1
	16.04 LTS xenial	Not affected
	14.04 LTS trusty	Not affected

Get expanded security coverage with Ubuntu Pro

Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.

Get Ubuntu Pro 30-day free trial

Notes

kkernick

This issue is predicated on a prior commit, e387009, first introduced in version 4.3. In earlier versions --follow-symlinks did not work when reading from STDIN.

References

Related Ubuntu Security Notices (USN)

USN-8229-1
sed vulnerability
4 May 2026

USN-8229-2
sed vulnerability
28 May 2026

Other references

https://www.cve.org/CVERecord?id=CVE-2026-5958