Skip to main content

uutils coreutils CVE-2026-35363

| EUVDEUVD-2026-25008 MEDIUM
Path Traversal (CWE-22)
5.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.6 MEDIUM
AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Apr 23, 2026 - 07:05 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 16:31 euvd
EUVD-2026-25008
Analysis Generated
Apr 22, 2026 - 16:31 vuln.today
CVE Published
Apr 22, 2026 - 16:08 nvd
MEDIUM 5.6

DescriptionCVE.org

A vulnerability in the rm utility of uutils coreutils allows the bypass of safeguard mechanisms intended to protect the current directory. While the utility correctly refuses to delete . or .., it fails to recognize equivalent paths with trailing slashes, such as ./ or .///. An accidental or malicious execution of rm -rf ./ results in the silent recursive deletion of all contents within the current directory. The command further obscures the data loss by reporting a misleading 'Invalid input' error, which may cause users to miss the critical window for data recovery.

AnalysisAI

The rm utility in uutils coreutils fails to properly validate current directory paths with trailing slashes (./ or .///), allowing local users with write access to silently delete all contents of the current directory via rm -rf ./ while the utility reports a misleading 'Invalid input' error. CVSS score 5.6 reflects local attack vector and required user interaction, though the impact is severe data loss with potential recovery complications.

Technical ContextAI

The vulnerability stems from insufficient path normalization in the rm utility's safeguard mechanism (CWE-22: Improper Limitation of a Pathname to a Restricted Directory). The utility correctly blocks deletion of the literal paths '.' and '..' but fails to recognize semantically equivalent paths with trailing slashes such as './' or './//', which resolve to the current directory after path canonicalization. This represents a classic path traversal validation bypass where the input sanitization logic does not account for all syntactic variations of the same logical path. The affected product is the Rust-based reimplementation of GNU coreutils (uutils), which aims for compatibility with POSIX-standard utilities but contains this regression in directory protection logic.

RemediationAI

Upgrade to a patched version of uutils coreutils that correctly normalizes and validates paths with trailing slashes to prevent rm from accepting './', './//', or other equivalent forms of the current directory. Consult the GitHub issue at https://github.com/uutils/coreutils/issues/9749 for patch availability and exact version. As a temporary compensating control, restrict rm usage in critical environments via AppArmor, SELinux, or sudo restrictions to trusted users only, or mandate code review for any rm -rf commands in scripts. However, these controls do not prevent accidental misuse by authorized developers. Additionally, implement file system snapshots or atomic backups in critical directories (particularly project roots and home directories) to reduce recovery time window if silent deletion occurs. Organizations should also audit any CI/CD pipelines or deployment scripts that invoke rm with wildcards or directory arguments, as this vulnerability increases risk in automation contexts.

CVE-2014-9471 HIGH POC
7.5 Jan 16

The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex

CVE-2026-35368 HIGH
7.8 Apr 22

Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access

CVE-2026-35338 HIGH POC
7.3 Apr 22

Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l

CVE-2026-35341 HIGH POC
7.1 Apr 22

Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f

CVE-2026-35352 HIGH
7.0 Apr 22

Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe

CVE-2026-35349 MEDIUM
6.7 Apr 22

Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi

CVE-2026-35365 MEDIUM
6.6 Apr 22

The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file

CVE-2026-35350 MEDIUM
6.6 Apr 22

The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil

CVE-2026-35374 MEDIUM
6.3 Apr 22

The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local

CVE-2026-35364 MEDIUM
6.3 Apr 22

A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op

CVE-2026-35360 MEDIUM
6.3 Apr 22

The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo

CVE-2026-35356 MEDIUM
6.3 Apr 22

Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker

Share

CVE-2026-35363 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy