uutils coreutils CVE-2026-35363

EUVD-2026-25008 MEDIUM

Path Traversal (CWE-22)

2026-04-22 canonical

Path Traversal

5.6

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:L

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

Low

Lifecycle Timeline

Analysis Generated

Apr 23, 2026 - 07:05 vuln.today

DescriptionNVD

A vulnerability in the rm utility of uutils coreutils allows the bypass of safeguard mechanisms intended to protect the current directory. While the utility correctly refuses to delete . or .., it fails to recognize equivalent paths with trailing slashes, such as ./ or .///. An accidental or malicious execution of rm -rf ./ results in the silent recursive deletion of all contents within the current directory. The command further obscures the data loss by reporting a misleading 'Invalid input' error, which may cause users to miss the critical window for data recovery.

AnalysisAI

The rm utility in uutils coreutils fails to properly validate current directory paths with trailing slashes (./ or .///), allowing local users with write access to silently delete all contents of the current directory via rm -rf ./ while the utility reports a misleading 'Invalid input' error. CVSS score 5.6 reflects local attack vector and required user interaction, though the impact is severe data loss with potential recovery complications.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-35363 vulnerability details – vuln.today

Back