CVE-2026-35349
Symbolic Link Bypass in uutils rm Enables Root Filesystem Deletion
Publication date: 2026-04-22
Last updated on: 2026-04-27
Assigner: Canonical Ltd.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| uutils | coreutils | to 0.7.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-59 | The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the rm utility of uutils coreutils, where the --preserve-root protection can be bypassed. Instead of properly verifying the root directory by comparing device and inode numbers, the implementation uses a path-string check. This allows an attacker or accidental user to create a symbolic link that points to the root directory (for example, /tmp/rootlink -> /) and bypass the safeguard.
As a result, the rm command may recursively delete the entire root filesystem unintentionally.
How can this vulnerability impact me? :
The vulnerability can lead to the unintended recursive deletion of the entire root filesystem. This means critical system files and data could be erased, potentially causing system failure, data loss, and downtime.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows bypassing the --preserve-root protection in the rm utility, potentially leading to unintended recursive deletion of the entire root filesystem.
Such a deletion could result in loss of critical system and data files, which may impact the availability and integrity of data.
Loss of data availability and integrity can affect compliance with standards like GDPR and HIPAA, which require organizations to protect personal and sensitive data from unauthorized destruction or loss.
Therefore, exploitation of this vulnerability could lead to non-compliance with these regulations due to failure in maintaining data integrity and availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the `rm` utility in uutils coreutils where the `--preserve-root` protection can be bypassed using symbolic links that resolve to the root directory.
To detect if your system is vulnerable, you can check for the presence of symbolic links that point to the root directory, such as links like `/tmp/rootlink -> /`.
Suggested commands to identify such symlinks include:
- Find symbolic links pointing to root: `find / -type l -exec readlink -f {} \; | grep '^/$'`
- Check if your `rm` command is from uutils coreutils and its version: `rm --version` or check the package version installed.
- Test the behavior of `rm --preserve-root` with a symlink to root carefully in a controlled environment to see if it blocks deletion.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update the uutils coreutils package to a version that includes the fix merged on February 5, 2026.
The fix ensures that `rm` resolves symbolic links and correctly identifies the root directory, preventing bypass of the `--preserve-root` safeguard.
Until the update is applied, avoid using `rm --preserve-root` on paths that may involve symbolic links pointing to root, and audit your system for such symlinks.
Additionally, consider restricting permissions to prevent untrusted users from creating symbolic links that could exploit this vulnerability.