Skip to main content

uutils coreutils CVE-2026-35349

| EUVDEUVD-2026-24981 MEDIUM
Improper Link Resolution Before File Access (CWE-59)
6.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.7 MEDIUM
AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Apr 23, 2026 - 07:03 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 16:31 euvd
EUVD-2026-24981
Analysis Generated
Apr 22, 2026 - 16:31 vuln.today
Patch released
Apr 22, 2026 - 16:31 nvd
Patch available
CVE Published
Apr 22, 2026 - 16:07 nvd
MEDIUM 6.7

DescriptionCVE.org

A vulnerability in the rm utility of uutils coreutils allows a bypass of the --preserve-root protection. The implementation uses a path-string check rather than comparing device and inode numbers to identify the root directory. An attacker or accidental user can bypass this safeguard by using a symbolic link that resolves to the root directory (e.g., /tmp/rootlink -> /), potentially leading to the unintended recursive deletion of the entire root filesystem.

AnalysisAI

Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root filesystem by supplying a symbolic link that resolves to the root directory, rather than relying on authentic root inode comparison. The vulnerability affects coreutils versions before 0.7.0 and requires local access with no special privileges, though successful exploitation is hindered by high complexity (AC:H). CISA exploitation status is none at time of analysis, and a vendor patch has been released.

Technical ContextAI

The uutils coreutils rm utility implements a --preserve-root safeguard to prevent accidental or malicious recursion from deleting critical system files. The vulnerable implementation validates the root directory using string-based path comparison rather than comparing actual device and inode numbers (stat-based validation). This allows an attacker to create a symbolic link (e.g., /tmp/rootlink → /) that, when passed to rm -rf, bypasses the string check because the symlink path differs from '/' but resolves to the same directory. The root cause is CWE-59 (Improper Link Resolution Before File Access), a symlink-following vulnerability where the application fails to validate the final resolved target's identity.

RemediationAI

Vendor-released patch: upgrade uutils coreutils to version 0.7.0 or later. The upstream fix is available at GitHub PR #9706 (https://github.com/uutils/coreutils/pull/9706), which modifies the root detection logic to compare device and inode numbers (stat-based validation) rather than path strings. For environments unable to immediately upgrade, implement the following compensating controls: (1) Restrict write access to /tmp and other directories where symlinks could be created, using filesystem permissions or mount options (nodev on /tmp prevents device files but does not prevent symlinks); (2) Disable or alias the rm command to GNU coreutils if available as an alternative, accepting that this introduces version heterogeneity; (3) Monitor execution of rm -r with symlink arguments using SELinux rules or audit hooks. Note that mount option nodev on /tmp will not prevent symlink exploitation but noexec will prevent execution of binaries from that directory. The most effective immediate control is filesystem-level write restriction or switching to a verified implementation until patching is feasible.

CVE-2014-9471 HIGH POC
7.5 Jan 16

The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex

CVE-2026-35368 HIGH
7.8 Apr 22

Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access

CVE-2026-35338 HIGH POC
7.3 Apr 22

Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l

CVE-2026-35341 HIGH POC
7.1 Apr 22

Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f

CVE-2026-35352 HIGH
7.0 Apr 22

Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe

CVE-2026-35365 MEDIUM
6.6 Apr 22

The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file

CVE-2026-35350 MEDIUM
6.6 Apr 22

The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil

CVE-2026-35374 MEDIUM
6.3 Apr 22

The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local

CVE-2026-35364 MEDIUM
6.3 Apr 22

A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op

CVE-2026-35360 MEDIUM
6.3 Apr 22

The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo

CVE-2026-35356 MEDIUM
6.3 Apr 22

Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker

CVE-2026-35355 MEDIUM
6.3 Apr 22

Time-of-Check to Time-of-Use (TOCTOU) race condition in uutils coreutils install utility allows local authenticated atta

Share

CVE-2026-35349 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy